(pinot-site) branch new-site-dev updated: Allow Matomo script in CSP

Fri, 02 Jan 2026 09:34:20 -0800 

This is an automated email from the ASF dual-hosted git repository.

xiangfu pushed a commit to branch new-site-dev
in repository https://gitbox.apache.org/repos/asf/pinot-site.git


The following commit(s) were added to refs/heads/new-site-dev by this push:
     new d405574e Allow Matomo script in CSP
d405574e is described below

commit d405574edd8a31745cf0b2ee8bdb58b58e4174e4
Author: Xiang Fu <[email protected]>
AuthorDate: Fri Jan 2 09:33:49 2026 -0800

    Allow Matomo script in CSP
---
 app/layout.tsx        |  2 +-
 next.config.js        |  1 +
 tests/matomo.test.cjs | 18 ++++++++++++++++++
 vercel.json           |  2 +-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/layout.tsx b/app/layout.tsx
index 7c8c0318..91090a83 100644
--- a/app/layout.tsx
+++ b/app/layout.tsx
@@ -68,7 +68,7 @@ export default function RootLayout({ children }: { children: 
React.ReactNode })
             <head>
                 <meta
                     httpEquiv="Content-Security-Policy"
-                    content="default-src 'self';script-src 'self' 
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is 
analytics.apache.org www.youtube.com;style-src 'self' 'unsafe-inline';img-src * 
blob: data:;media-src *.s3.amazonaws.com;connect-src *;font-src 
'self';frame-src www.youtube.com youtube.com giscus.app youtu.be 
https://www.youtube.com https://youtube.com;";
+                    content="default-src 'self';script-src 'self' 
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is 
analytics.apache.org www.youtube.com;script-src-elem 'self' 'unsafe-eval' 
'unsafe-inline' giscus.app analytics.umami.is analytics.apache.org 
www.youtube.com;style-src 'self' 'unsafe-inline';img-src * blob: 
data:;media-src *.s3.amazonaws.com;connect-src *;font-src 'self';frame-src 
www.youtube.com youtube.com giscus.app youtu.be https://www.youtube.com 
https://youtu [...]
                 />
                 <link
                     rel="apple-touch-icon"
diff --git a/next.config.js b/next.config.js
index 5842f245..925940a1 100644
--- a/next.config.js
+++ b/next.config.js
@@ -8,6 +8,7 @@ const withBundleAnalyzer = require('@next/bundle-analyzer')({
 const ContentSecurityPolicy = `
   default-src 'self';
   script-src 'self' 'unsafe-eval' 'unsafe-inline' giscus.app 
analytics.umami.is analytics.apache.org www.youtube.com;
+  script-src-elem 'self' 'unsafe-eval' 'unsafe-inline' giscus.app 
analytics.umami.is analytics.apache.org www.youtube.com;
   style-src 'self' 'unsafe-inline';
   img-src * blob: data:;
   media-src *.s3.amazonaws.com;
diff --git a/tests/matomo.test.cjs b/tests/matomo.test.cjs
index 22b38c84..efdd8903 100644
--- a/tests/matomo.test.cjs
+++ b/tests/matomo.test.cjs
@@ -6,6 +6,7 @@ const path = require('node:path');
 const repoRoot = path.resolve(__dirname, '..');
 const layoutPath = path.join(repoRoot, 'app', 'layout.tsx');
 const nextConfigPath = path.join(repoRoot, 'next.config.js');
+const vercelConfigPath = path.join(repoRoot, 'vercel.json');
 
 test('matomo tracking snippet is present in the layout', () => {
     const layoutContents = fs.readFileSync(layoutPath, 'utf8');
@@ -27,3 +28,20 @@ test('csp allows analytics.apache.org in script-src', () => {
         'Expected analytics.apache.org in next.config.js CSP'
     );
 });
+
+test('csp allows analytics.apache.org for script elements', () => {
+    const layoutContents = fs.readFileSync(layoutPath, 'utf8');
+    const nextConfigContents = fs.readFileSync(nextConfigPath, 'utf8');
+    const vercelConfigContents = fs.readFileSync(vercelConfigPath, 'utf8');
+
+    for (const contents of [layoutContents, nextConfigContents, 
vercelConfigContents]) {
+        assert.ok(
+            contents.includes('analytics.apache.org'),
+            'Expected analytics.apache.org in CSP sources'
+        );
+        assert.ok(
+            contents.includes('script-src-elem'),
+            'Expected script-src-elem directive in CSP'
+        );
+    }
+});
diff --git a/vercel.json b/vercel.json
index 993f944f..0a626d20 100644
--- a/vercel.json
+++ b/vercel.json
@@ -5,7 +5,7 @@
             "headers": [
                 {
                     "key": "Content-Security-Policy",
-                    "value": "default-src 'self'; script-src 'self' 
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is 
analytics.apache.org www.youtube.com; style-src 'self' 'unsafe-inline'; img-src 
* blob: data:; media-src *.s3.amazonaws.com; connect-src *; font-src 'self'; 
frame-src www.youtube.com youtube.com giscus.app youtu.be;"
+                    "value": "default-src 'self'; script-src 'self' 
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is 
analytics.apache.org www.youtube.com; script-src-elem 'self' 'unsafe-eval' 
'unsafe-inline' giscus.app analytics.umami.is analytics.apache.org 
www.youtube.com; style-src 'self' 'unsafe-inline'; img-src * blob: data:; 
media-src *.s3.amazonaws.com; connect-src *; font-src 'self'; frame-src 
www.youtube.com youtube.com giscus.app youtu.be;"
                 },
                 {
                     "key": "Referrer-Policy",


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to