Copilot commented on code in PR #3979: URL: https://github.com/apache/hertzbeat/pull/3979#discussion_r2698395180
########## home/static/.htaccess: ########## @@ -1,2 +1,3 @@ -# CSP permissions for hertzbeat.apache.org - Adding 3rd party service Algolia & Kapa.ai -SetEnv CSP_PROJECT_DOMAINS "https://*.algolia.net/ https://*.algolianet.com/ https://*.algolia.io/ https://widget.kapa.ai https://proxy.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://metrics.kapa.ai https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com"; +<IfModule mod_headers.c> + Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" Review Comment: The CSP directive 'frame-src *' allows embedding content from any domain, which is overly permissive and poses a security risk. Consider restricting this to only the necessary domains (e.g., specific trusted domains like *.google.com, *.kapa.ai, etc.) to prevent potential clickjacking attacks and unauthorized content embedding. ```suggestion Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src 'self' *.google.com *.kapa.ai https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" ``` ########## home/static/.htaccess: ########## @@ -1,2 +1,3 @@ -# CSP permissions for hertzbeat.apache.org - Adding 3rd party service Algolia & Kapa.ai -SetEnv CSP_PROJECT_DOMAINS "https://*.algolia.net/ https://*.algolianet.com/ https://*.algolia.io/ https://widget.kapa.ai https://proxy.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://metrics.kapa.ai https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com"; +<IfModule mod_headers.c> Review Comment: The img-src directive includes 'https:' which allows images from any HTTPS source, effectively making it too permissive. Consider restricting this to specific trusted domains to reduce the attack surface, or at minimum add a comment explaining why this broad allowance is necessary. ```suggestion <IfModule mod_headers.c> # NOTE: img-src includes `https:` to allow images from arbitrary HTTPS origins (e.g., user-supplied content); # this broad allowance is intentional and accepted for this deployment. ``` ########## home/static/.htaccess: ########## @@ -1,2 +1,3 @@ -# CSP permissions for hertzbeat.apache.org - Adding 3rd party service Algolia & Kapa.ai -SetEnv CSP_PROJECT_DOMAINS "https://*.algolia.net/ https://*.algolianet.com/ https://*.algolia.io/ https://widget.kapa.ai https://proxy.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://metrics.kapa.ai https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com"; +<IfModule mod_headers.c> + Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" Review Comment: The use of 'unsafe-inline' and 'unsafe-eval' in the default-src directive significantly weakens the CSP protection against XSS attacks. Consider implementing nonces or hashes for inline scripts and styles, or moving inline code to external files. If these are required by Docusaurus or third-party integrations, document this decision with a comment explaining why these exceptions are necessary. ```suggestion # Content Security Policy for Docusaurus site and required third-party integrations. # Note: 'unsafe-inline' and 'unsafe-eval' are intentionally restricted to script-src/style-src # because some bundled scripts/styles (e.g., Algolia search, hCaptcha, Google services) # still rely on inline code. They are not permitted on default-src to reduce XSS risk. Header set Content-Security-Policy "default-src 'self' data: blob: *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org; script-src 'self' data: blob: *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' *.googleapis.com *.gstatic.com; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" ``` ########## home/static/.htaccess: ########## @@ -1,2 +1,3 @@ -# CSP permissions for hertzbeat.apache.org - Adding 3rd party service Algolia & Kapa.ai -SetEnv CSP_PROJECT_DOMAINS "https://*.algolia.net/ https://*.algolianet.com/ https://*.algolia.io/ https://widget.kapa.ai https://proxy.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://metrics.kapa.ai https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com"; +<IfModule mod_headers.c> + Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" Review Comment: The CSP header is extremely long and difficult to read and maintain. Consider breaking this into multiple lines using Apache's header append syntax or adding line breaks with backslashes for better readability. Alternatively, add a comment documenting which domains are for which services (e.g., Algolia, Kapa.ai, hCaptcha). ```suggestion # Content Security Policy # Kapa.ai: *.kapa.ai # Algolia search: *.algolia.net *.algolianet.com # hCaptcha: https://hcaptcha.com https://*.hcaptcha.com # Event sites: *.apachecon.com *.communityovercode.org Header set Content-Security-Policy "default-src data: blob: 'self' \ *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com \ *.google.com *.run.app *.gstatic.com *.github.com \ https://hcaptcha.com https://*.hcaptcha.com \ *.algolia.net *.algolianet.com \ *.apachecon.com *.communityovercode.org \ 'unsafe-inline' 'unsafe-eval'; \ frame-src *; \ frame-ancestors 'self' *.google.com; \ worker-src 'self' data: blob:; \ img-src 'self' blob: data: https:; \ font-src 'self' data: blob:; \ object-src 'none'" ``` ########## home/static/.htaccess: ########## @@ -1,2 +1,3 @@ -# CSP permissions for hertzbeat.apache.org - Adding 3rd party service Algolia & Kapa.ai -SetEnv CSP_PROJECT_DOMAINS "https://*.algolia.net/ https://*.algolianet.com/ https://*.algolia.io/ https://widget.kapa.ai https://proxy.kapa.ai https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://metrics.kapa.ai https://www.google.com/recaptcha/ https://hcaptcha.com https://*.hcaptcha.com"; +<IfModule mod_headers.c> + Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" Review Comment: The CSP header is missing important security directives such as 'script-src', 'style-src', and 'connect-src'. Without these, they will inherit from 'default-src' which includes 'unsafe-inline' and 'unsafe-eval'. Consider explicitly defining these directives with more restrictive policies where possible. ```suggestion Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org; script-src 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; style-src 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline'; connect-src 'self' *.apache.org *.kapa.ai *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
