This is an automated email from the ASF dual-hosted git repository.
zhangjuntao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-website.git
The following commit(s) were added to refs/heads/master by this push:
new 845283c7c96 fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding
CSP header (#815)
845283c7c96 is described below
commit 845283c7c960aec88d7170df003541316721d779
Author: Senrian <[email protected]>
AuthorDate: Sat Mar 21 11:51:42 2026 +0800
fix: use SetEnv CSP_PROJECT_DOMAINS instead of overriding CSP header (#815)
Follow Apache Infra standard CSP handling per
https://infra.apache.org/tools/csp.html
The Content-Security-Policy header must not be overridden directly.
Instead, use SetEnv CSP_PROJECT_DOMAINS to add project-specific domains
to the default Apache CSP base policy.
Co-authored-by: Zhang Juntao <[email protected]>
---
.htaccess | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/.htaccess b/.htaccess
index 9fd92dafe3f..ba9451e69f0 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,4 @@
ErrorDocument 404 /404.html
-<IfModule mod_headers.c>
- Header set Content-Security-Policy "frame-src 'self'
https://www.google.com https://app.netlify.com";
-</IfModule>
+# CSP permissions for apache.skywalking.apache.org - Adding third party
services Google, Netlify. Approved per https://infra.apache.org/tools/csp.html
+SetEnv CSP_PROJECT_DOMAINS "https://www.google.com https://app.netlify.com";
\ No newline at end of file
