Re: Broken website images due to Content Security Policy

Mon, 17 Feb 2025 15:09:44 -0800

I added a small bash script[1] to download the avatars from GitHub into the `img` folder every time the site is built.
We build our site relatively often, so the avatars should be pretty up-to-date most of the time. If this is not sufficient, we can add a periodic GitHub Action workflow to build the site every x days, which will re-download the avatars. However, I think the current approach should work just fine. 

[1] https://github.com/apache/calcite/blob/main/site/download-avatars.sh

On 18/02/2025 5:21 am, Julian Hyde wrote:

It’s a shame. The avatars make the site better. And no one’s privacy is being 
violated.

  
Julian



On Feb 17, 2025, at 05:40, Istvan Toth <st...@cloudera.com.invalid> wrote:

I prefer removing the avatars.
Having snapshots for existing ppl is half-solution, and trying to add some
kind of sync mechanism on build would be a waste of energy.

Istvan


On Mon, Feb 17, 2025 at 4:45 AM Francis Chuang <francischu...@apache.org>
wrote:

There are numerous broken resources on our websites due to the
Content-Security-Policy HTTP header deployed by the ASF [1].

The CSP is quite restrictive: default-src 'self' data: blob:
'unsafe-inline' https://www.apachecon.com/
https://www.communityovercode.org/ https://analytics.apache.org/;
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://analytics.apache.org/; style-src 'self' 'unsafe-inline' data:;
frame-ancestors 'self'; frame-src 'self' data: blob:; img-src 'self'
data: https://*.apache.org/; worker-src 'self' data: blob:;

I was able to fix the Lato font not loading on the Calcite and Avatica
sites by self-hosting it in CALCITE-6843 [2].

There are still quite a few resources broken on both the Calcite and
Avatica sites, mostly images. For most images, we can easily self-host
our own copy. However, we use GitHub avatars for the Community and News
pages on both sites. We can either self-host all the avatars (but they
won't be updated if the user changes them on GitHub) or we can get rid
of them.

What do you guys think?

Francis

[1] https://infra.apache.org/csp.html
[2] https://issues.apache.org/jira/browse/CALCITE-6843




--
*István Tóth* | Sr. Staff Software Engineer
*Email*: st...@cloudera.com
cloudera.com <https://www.cloudera.com>
[image: Cloudera] <https://www.cloudera.com/>
[image: Cloudera on Twitter] <https://twitter.com/cloudera> [image:
Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera
on LinkedIn] <https://www.linkedin.com/company/cloudera>
------------------------------
------------------------------
























					Reply via email to