This is an automated email from the ASF dual-hosted git repository.
xiangfu pushed a commit to branch new-site-dev
in repository https://gitbox.apache.org/repos/asf/pinot-site.git
The following commit(s) were added to refs/heads/new-site-dev by this push:
new 94d646b5 remove csp override from the code and update agents md file
94d646b5 is described below
commit 94d646b55ba06be5f1cba9f04b1d671cf06e12ff
Author: Xiang Fu <[email protected]>
AuthorDate: Sat Jan 3 19:21:03 2026 -0800
remove csp override from the code and update agents md file
---
AGENTS.md | 11 ++++++++++
app/layout.tsx | 18 ++++++++--------
next.config.js | 59 ---------------------------------------------------
tests/matomo.test.cjs | 28 ------------------------
vercel.json | 4 ----
5 files changed, 20 insertions(+), 100 deletions(-)
diff --git a/AGENTS.md b/AGENTS.md
index 05d3bd9c..3ddd07c5 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -235,6 +235,17 @@ Husky runs ESLint and Prettier on staged files before
commits.
- Static export (Next.js static site generation)
- Build process includes post-build scripts for optimization
+### Apache Configuration (.htaccess)
+
+- The `.htaccess` file is located on the `new-static-prod` branch
+- This file configures Content-Security-Policy (CSP) headers for the
Apache-hosted website
+- **IMPORTANT**: When modifying CSP permissions, follow the [Apache
Infrastructure CSP builder guidelines](https://infra.apache.org/tools/csp.html)
+- Key requirements:
+ - All additional domains/URLs must be pre-approved by VP Data Privacy
([email protected])
+ - Include a comment explaining why the CSP is changed and where
permission was obtained
+ - Use the format: `SetEnv CSP_PROJECT_DOMAINS "host1 host2 host3"`
+ - **DO NOT EDIT CSP HEADERS WITHOUT ASKING FIRST** - contact
[email protected] for assistance
+
## Common Patterns
### Data Fetching
diff --git a/app/layout.tsx b/app/layout.tsx
index 91090a83..fc75eb6d 100644
--- a/app/layout.tsx
+++ b/app/layout.tsx
@@ -1,19 +1,23 @@
import 'css/tailwind.css';
import 'pliny/search/algolia.css';
-import { Work_Sans } from 'next/font/google';
+import localFont from 'next/font/local';
import { Analytics, AnalyticsConfig } from 'pliny/analytics';
import { SearchProvider, SearchConfig } from 'pliny/search';
import Header from '@/components/Header';
-import SectionContainer from '@/components/SectionContainer';
import Footer from '@/components/Footer';
import siteMetadata from '@/data/siteMetadata';
import { ThemeProviders } from './theme-providers';
import { Metadata } from 'next';
-import Head from 'next/head';
-const work_sans = Work_Sans({
- subsets: ['latin'],
+const work_sans = localFont({
+ src: [
+ {
+ path: '../public/static/fonts/WorkSans-Variable.woff2',
+ weight: '100 900',
+ style: 'normal'
+ }
+ ],
display: 'swap',
variable: '--custom-font-work-sans'
});
@@ -66,10 +70,6 @@ export default function RootLayout({ children }: { children:
React.ReactNode })
suppressHydrationWarning
>
<head>
- <meta
- httpEquiv="Content-Security-Policy"
- content="default-src 'self';script-src 'self'
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is
analytics.apache.org www.youtube.com;script-src-elem 'self' 'unsafe-eval'
'unsafe-inline' giscus.app analytics.umami.is analytics.apache.org
www.youtube.com;style-src 'self' 'unsafe-inline';img-src * blob:
data:;media-src *.s3.amazonaws.com;connect-src *;font-src 'self';frame-src
www.youtube.com youtube.com giscus.app youtu.be https://www.youtube.com
https://youtu [...]
- />
<link
rel="apple-touch-icon"
sizes="76x76"
diff --git a/next.config.js b/next.config.js
index 925940a1..16a65d52 100644
--- a/next.config.js
+++ b/next.config.js
@@ -4,57 +4,6 @@ const withBundleAnalyzer = require('@next/bundle-analyzer')({
enabled: process.env.ANALYZE === 'true'
});
-// You might need to insert additional domains in script-src if you are using
external services
-const ContentSecurityPolicy = `
- default-src 'self';
- script-src 'self' 'unsafe-eval' 'unsafe-inline' giscus.app
analytics.umami.is analytics.apache.org www.youtube.com;
- script-src-elem 'self' 'unsafe-eval' 'unsafe-inline' giscus.app
analytics.umami.is analytics.apache.org www.youtube.com;
- style-src 'self' 'unsafe-inline';
- img-src * blob: data:;
- media-src *.s3.amazonaws.com;
- connect-src *;
- font-src 'self';
- frame-src www.youtube.com youtube.com giscus.app youtu.be;
-`;
-
-const securityHeaders = [
- // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- {
- key: 'Content-Security-Policy',
- value: ContentSecurityPolicy.replace(/\n/g, '')
- },
- //
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- {
- key: 'Referrer-Policy',
- value: 'strict-origin-when-cross-origin'
- },
- //
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- {
- key: 'X-Frame-Options',
- value: 'DENY'
- },
- //
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
- {
- key: 'X-Content-Type-Options',
- value: 'nosniff'
- },
- //
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
- {
- key: 'X-DNS-Prefetch-Control',
- value: 'on'
- },
- //
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
- {
- key: 'Strict-Transport-Security',
- value: 'max-age=31536000; includeSubDomains'
- },
- // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
- {
- key: 'Permissions-Policy',
- value: 'camera=(), microphone=(), geolocation=()'
- }
-];
-
/**
* @type {import('next/dist/next-server/server/config').NextConfig}
**/
@@ -78,14 +27,6 @@ module.exports = () => {
]
},
// Headers are set via vercel.json for static export deployments.
- // async headers() {
- // return [
- // {
- // source: '/(.*)',
- // headers: securityHeaders
- // }
- // ];
- // },
webpack: (config, options) => {
config.module.rules.push({
test: /\.svg$/,
diff --git a/tests/matomo.test.cjs b/tests/matomo.test.cjs
index efdd8903..b22c4631 100644
--- a/tests/matomo.test.cjs
+++ b/tests/matomo.test.cjs
@@ -5,8 +5,6 @@ const path = require('node:path');
const repoRoot = path.resolve(__dirname, '..');
const layoutPath = path.join(repoRoot, 'app', 'layout.tsx');
-const nextConfigPath = path.join(repoRoot, 'next.config.js');
-const vercelConfigPath = path.join(repoRoot, 'vercel.json');
test('matomo tracking snippet is present in the layout', () => {
const layoutContents = fs.readFileSync(layoutPath, 'utf8');
@@ -19,29 +17,3 @@ test('matomo tracking snippet is present in the layout', ()
=> {
assert.ok(layoutContents.includes("matomo.js"), 'Expected matomo.js in
layout');
assert.ok(layoutContents.includes("setSiteId', '88'"), 'Expected Matomo
site ID 88 in layout');
});
-
-test('csp allows analytics.apache.org in script-src', () => {
- const nextConfigContents = fs.readFileSync(nextConfigPath, 'utf8');
-
- assert.ok(
- nextConfigContents.includes('analytics.apache.org'),
- 'Expected analytics.apache.org in next.config.js CSP'
- );
-});
-
-test('csp allows analytics.apache.org for script elements', () => {
- const layoutContents = fs.readFileSync(layoutPath, 'utf8');
- const nextConfigContents = fs.readFileSync(nextConfigPath, 'utf8');
- const vercelConfigContents = fs.readFileSync(vercelConfigPath, 'utf8');
-
- for (const contents of [layoutContents, nextConfigContents,
vercelConfigContents]) {
- assert.ok(
- contents.includes('analytics.apache.org'),
- 'Expected analytics.apache.org in CSP sources'
- );
- assert.ok(
- contents.includes('script-src-elem'),
- 'Expected script-src-elem directive in CSP'
- );
- }
-});
diff --git a/vercel.json b/vercel.json
index 0a626d20..4db6cb12 100644
--- a/vercel.json
+++ b/vercel.json
@@ -3,10 +3,6 @@
{
"source": "/(.*)",
"headers": [
- {
- "key": "Content-Security-Policy",
- "value": "default-src 'self'; script-src 'self'
'unsafe-eval' 'unsafe-inline' giscus.app analytics.umami.is
analytics.apache.org www.youtube.com; script-src-elem 'self' 'unsafe-eval'
'unsafe-inline' giscus.app analytics.umami.is analytics.apache.org
www.youtube.com; style-src 'self' 'unsafe-inline'; img-src * blob: data:;
media-src *.s3.amazonaws.com; connect-src *; font-src 'self'; frame-src
www.youtube.com youtube.com giscus.app youtu.be;"
- },
{
"key": "Referrer-Policy",
"value": "strict-origin-when-cross-origin"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
