Skip to content

fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding CSP header#815

Merged
Jtrust merged 2 commits intoapache:masterfrom
Senrian:fix/csp-header
Mar 21, 2026
Merged

fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding CSP header#815
Jtrust merged 2 commits intoapache:masterfrom
Senrian:fix/csp-header

Conversation

@Senrian
Copy link
Contributor

@Senrian Senrian commented Mar 20, 2026

What

Fixes apache/skywalking#13554

Why

The .htaccess file was directly setting the Content-Security-Policy header via Header set Content-Security-Policy, which overrides the Apache infrastructure default CSP.

Per Apache Infra's standard CSP handling, projects must use SetEnv CSP_PROJECT_DOMAINS to add project-specific domains to the default CSP base policy, rather than replacing the header entirely.

How

  • Removed: Header set Content-Security-Policy "frame-src 'self' https://www.google.com https://app.netlify.com"
  • Added: SetEnv CSP_PROJECT_DOMAINS "https://www.google.com https://app.netlify.com"

This allows Apache Infra's default CSP to remain intact while adding the necessary domains for Netlify and Google (used for site functionality).

Testing

  • The changed file is valid .htaccess syntax
  • The domains listed match exactly those previously allowed by the overridden CSP header

@Senrian
fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding CSP header
11e60b1 
Follow Apache Infra standard CSP handling per https://infra.apache.org/tools/csp.html
The Content-Security-Policy header must not be overridden directly.
Instead, use SetEnv CSP_PROJECT_DOMAINS to add project-specific domains
to the default Apache CSP base policy.
@netlify
Copy link

netlify bot commented Mar 20, 2026
edited
Loading

Deploy Preview for skywalking-website-preview ready!

Name Link
🔨 Latest commit 22998de
🔍 Latest deploy log https://app.netlify.com/projects/skywalking-website-preview/deploys/69be0f88c01927000851ff62
😎 Deploy Preview https://deploy-preview-815--skywalking-website-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@wu-sheng
Copy link
Member

wu-sheng commented Mar 20, 2026

Please resolve the conflicts.

@wu-sheng wu-sheng requested a review from Jtrust March 20, 2026 13:34
@Jtrust
Copy link
Member

Jtrust commented Mar 21, 2026

LGTM.
Conflicts resolved.

@Jtrust Jtrust merged commit 845283c into apache:master Mar 21, 2026
5 checks passed
@Jtrust
Copy link
Member

Jtrust commented Mar 21, 2026

image After this PR was merged, a resource loading error occurred, rendering the kapa.ai plugin unusable. We plan to revert the changes. @wu-sheng

Jtrust added a commit to Jtrust/skywalking-website that referenced this pull request Mar 21, 2026
@Jtrust
fix: Undo the code modification of apache#815
0226a04
@Jtrust Jtrust mentioned this pull request Mar 21, 2026
Merged
Jtrust added a commit that referenced this pull request Mar 21, 2026
@Jtrust
fix: Undo the code modification of #815 (#817)
3525789
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jtrust Jtrust Awaiting requested review from Jtrust

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] The Content-Security-Policy header must not be overridden

3 participants

@Senrian @wu-sheng @Jtrust