[jira] [Commented] (HBASE-29379) Photo images are blocked by CSP on Team website page

Fri, 03 Oct 2025 02:56:07 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-29379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18024439#comment-18024439
 ] 

Dávid Paksy commented on HBASE-29379:
-------------------------------------

The Team page is generated by the Apache Maven Project Info Reports plugin. 
Right now we use 3.1.2 plugin version.

The plugin supports configuration regarding the avatars (photos):
 * either we can switch off the avatar images with setting [showAvatarImages to 
false|https://maven.apache.org/plugins/maven-project-info-reports-plugin/team-mojo.html#showAvatarImages]
 * or we could update the Maven plugin to 3.9.0 and use 
<externalAvatarImages>false</externalAvatarImages> then images will be 
downloaded and attached to report during build and local path will be used for 
images.

See: 

[https://maven.apache.org/plugins/maven-project-info-reports-plugin/team-mojo.html]

 

> Photo images are blocked by CSP on Team website page
> ----------------------------------------------------
>
>                 Key: HBASE-29379
>                 URL: https://issues.apache.org/jira/browse/HBASE-29379
>             Project: HBase
>          Issue Type: Bug
>          Components: website
>            Reporter: Dávid Paksy
>            Priority: Major
>         Attachments: image-2025-06-06-09-03-12-039.png, 
> image-2025-06-06-09-04-00-402.png
>
>
> It seems that the recently enabled Content Security Policy (CSP) now blocks 
> photo images of team members on the project team page: 
> [https://hbase.apache.org/team.html]
> Also there is an error logged to browser dev tool console about this:
> {noformat}
> Refused to load the image 
> 'https://www.gravatar.com/avatar/de20895d3fbc56885e0c6679e428113d?d=mm&s=60' 
> because it violates the following Content Security Policy directive: 
> "default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' 
> https://www.apachecon.com/ https://www.communityovercode.org/ 
> https://*.apache.org/ https://apache.org/ https://*.scarf.sh/";. Note that 
> 'img-src' was not explicitly set, so 'default-src' is used as a 
> fallback.{noformat}
> Before:
> !image-2025-06-06-09-03-12-039.png!
>  
> Now
> !image-2025-06-06-09-04-00-402.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to