Copilot commented on code in PR #3980: URL: https://github.com/apache/hertzbeat/pull/3980#discussion_r2698662702
########## home/static/.htaccess: ########## @@ -1,3 +1,3 @@ <IfModule mod_headers.c> - Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" -</IfModule> + Header set Content-Security-Policy "script-src 'self' widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://www.gstatic.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com www.google.com; frame-src 'self' www.google.com https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com;"; Review Comment: The removal of wildcard domains like *.apache.org, *.github.com, *.algolia.net, *.apachecon.com, and *.communityovercode.org appears to be a breaking change that could prevent resources from these domains from loading. Verify that these domains are truly no longer needed or add them back to the appropriate directives. ```suggestion Header set Content-Security-Policy "script-src 'self' widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://www.gstatic.com https://*.apache.org https://*.github.com https://*.algolia.net https://*.apachecon.com https://*.communityovercode.org 'unsafe-inline' 'unsafe-eval'; connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com www.google.com https://*.apache.org https://*.github.com https://*.algolia.net https://*.apachecon.com https://*.communityovercode.org; frame-src 'self' www.google.com https://hcaptcha.com https://*.hcaptcha.com https://*.apache.org https://*.github.com https://*.algolia.net https://*.apachecon.com https://*.communityovercode.org; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com https://*.apache.org https://*.github.com https://*.algolia.net https://*.apachecon.com https://*.communityovercode.org;"; ``` ########## home/static/.htaccess: ########## @@ -1,3 +1,3 @@ <IfModule mod_headers.c> - Header set Content-Security-Policy "default-src data: blob: 'self' *.apache.org *.kapa.ai *.githubusercontent.com *.googleapis.com *.google.com *.run.app *.gstatic.com *.github.com https://hcaptcha.com https://*.hcaptcha.com *.algolia.net *.algolianet.com *.apachecon.com *.communityovercode.org 'unsafe-inline' 'unsafe-eval'; frame-src *; frame-ancestors 'self' *.google.com; worker-src 'self' data: blob:; img-src 'self' blob: data: https:; font-src 'self' data: blob:; object-src 'none'" -</IfModule> + Header set Content-Security-Policy "script-src 'self' widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://www.gstatic.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com www.google.com; frame-src 'self' www.google.com https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com;"; Review Comment: The new CSP is missing critical directives that were present in the original policy. Missing directives include: default-src (fallback), img-src (controls image loading), font-src (controls font loading), worker-src (controls web workers), object-src (controls plugins), and frame-ancestors (controls embedding). Without default-src, any unspecified directive defaults to unrestricted access. Add default-src or define all necessary directives explicitly to maintain security. ```suggestion Header set Content-Security-Policy "default-src 'self'; script-src 'self' widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://www.gstatic.com 'unsafe-inline' 'unsafe-eval'; connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com www.google.com; img-src 'self' data: https:; font-src 'self' https: data:; worker-src 'self'; object-src 'none'; frame-src 'self' www.google.com https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com;"; ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
