[jira] [Resolved] (SLING-12650) Newly applied ASF-wide CSP policies break the Sling website

Wed, 27 May 2026 05:25:09 -0700 


     [ 
https://issues.apache.org/jira/browse/SLING-12650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Munteanu resolved SLING-12650.
-------------------------------------
    Resolution: Fixed

> Newly applied ASF-wide CSP policies break the Sling website
> -----------------------------------------------------------
>
>                 Key: SLING-12650
>                 URL: https://issues.apache.org/jira/browse/SLING-12650
>             Project: Sling
>          Issue Type: Bug
>          Components: Site
>            Reporter: Radu Cotescu
>            Assignee: Robert Munteanu
>            Priority: Major
>
> The CSP added via https://github.com/apache/infrastructure-p6/pull/2025/files 
> only allow resources served by the ASF servers to be loaded by the browser. 
> This breaks the Sling website:
> {noformat}
> Refused to load the stylesheet 
> 'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css' 
> because it violates the following Content Security Policy directive: 
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not 
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the script 
> 'https://www.apachecon.com/event-images/snippet.js' because it violates the 
> following Content Security Policy directive: "script-src 'self' 
> 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/";. Note that 
> 'script-src-elem' was not explicitly set, so 'script-src' is used as a 
> fallback.
> apache-sling-eventing-and-job-handling.html:8 Refused to load the stylesheet 
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
>  because it violates the following Content Security Policy directive: 
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not 
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the script 
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js' 
> because it violates the following Content Security Policy directive: 
> "script-src 'self' 'unsafe-inline' 'unsafe-eval' 
> https://analytics.apache.org/";. Note that 'script-src-elem' was not 
> explicitly set, so 'script-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:10 Uncaught ReferenceError: hljs 
> is not defined
>     at apache-sling-eventing-and-job-handling.html:10:13
> apache-sling-eventing-and-job-handling.html:26 Refused to load the script 
> 'https://matomo.privacy.apache.org/matomo.js' because it violates the 
> following Content Security Policy directive: "script-src 'self' 
> 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/";. Note that 
> 'script-src-elem' was not explicitly set, so 'script-src' is used as a 
> fallback.
> (anonymous) @ apache-sling-eventing-and-job-handling.html:26
> apache-sling-eventing-and-job-handling.html:1 Refused to load the image 
> 'data:image/svg+xml,%3Csvg width='18' height='18' viewBox='0 0 18 18' 
> fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M12.7549 
> 11.255H11.9649L11.6849 10.985C12.6649 9.845 13.2549 8.365 13.2549 
> 6.755C13.2549 3.165 10.3449 0.255005 6.75488 0.255005C3.16488 0.255005 
> 0.254883 3.165 0.254883 6.755C0.254883 10.345 3.16488 13.255 6.75488 
> 13.255C8.36488 13.255 9.84488 12.665 10.9849 11.685L11.2549 
> 11.965V12.755L16.2549 17.745L17.7449 16.255L12.7549 11.255ZM6.75488 
> 11.255C4.26488 11.255 2.25488 9.245 2.25488 6.755C2.25488 4.26501 4.26488 
> 2.255 6.75488 2.255C9.24488 2.255 11.2549 4.26501 11.2549 6.755C11.2549 9.245 
> 9.24488 11.255 6.75488 11.255Z' fill='%23000000'/%3E%3C/svg%3E%0A' because it 
> violates the following Content Security Policy directive: "img-src 'self' 
> https://www.apache.org/";.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet 
> 'https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.5/css/bulma.min.css' 
> because it violates the following Content Security Policy directive: 
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not 
> explicitly set, so 'style-src' is used as a fallback.
> apache-sling-eventing-and-job-handling.html:1 Refused to load the stylesheet 
> 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css'
>  because it violates the following Content Security Policy directive: 
> "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not 
> explicitly set, so 'style-src' is used as a fallback.
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to