[
https://issues.apache.org/jira/browse/KUDU-3640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924775#comment-17924775
]
Abhishek Chennaka commented on KUDU-3640:
-----------------------------------------
Hello [~niallp]
The changes have been pushed to the website and we do not see google analytics
script on the page anymore.
Interestingly we also noticed few of the page elements being blocked due to CSP
(like bootstrap javascripts and images hosted in an internal server) and
looking at the current CSP from the response header, we see the below:
{code:java}
content-security-policy: default-src 'self' data: blob: 'unsafe-inline'
https://www.apachecon.com/ https://www.communityovercode.org/
https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://analytics.apache.org/; style-src 'self' 'unsafe-inline' data:;
frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:
https://*.apache.org/;{code}
which seems to be coming from here[1]
We were under the understanding this new CSP will be activated briefly during
the brown-out period on February 1. Can you confirm the exact period of this
initial testing?
Meanwhile we are working to fix the blocked links.
[1][https://github.com/apache/infrastructure-p6/pull/2025/files]
> Remove Google Analytics from the Kudu Website
> ---------------------------------------------
>
> Key: KUDU-3640
> URL: https://issues.apache.org/jira/browse/KUDU-3640
> Project: Kudu
> Issue Type: Task
> Components: website
> Reporter: Niall Pemberton
> Priority: Major
>
> Hi Kudu Team
> The ASF {_}*Privacy Policy*{_}[1][2] does not permit the use of _*Google
> Analytics*_ on any ASF websites and the ASF Infra team will soon enforce a
> {_}*Content Security Policy*{_}(CSP) that will block access to external
> trackers:
> * [https://lists.apache.org/thread/w34sd92v4rz3j28hyddmt5tbprbdq6lc]
> Please could you remove the use of the Google Analytics from the Kudu website?
> * [https://lists.apache.org/thread/gx92qvkgwpkn7y45hlpt60f5bh9zbwy1]
> I would have submitted a PR, but I see you're using Gerrit, so apologies, I'm
> not familiar with that, but it looks like the following file needs to be
> modified:
> * https://github.com/niallkp/kudu/blob/gh-pages/_includes/bottom_common.html
>
> The ASF hosts its own _*Matomo*_ instance to provide projects with analytics
> and you can request a tracking id for your project by sending a mail to
> *privacy AT apache.org.*
> *
> [https://privacy.apache.org/faq/committers.html#can-i-use-web-analytics-matomo]
>
> Additionally I would recommend reviewing any external resources loaded by
> your website. The Content Security Policy will prevent any resources being
> loaded from 3rd Party providers that the ASF does not have a Data Processing
> Agreement (DPA) with. On the 1st February Infra will begin a temporary
> "brownout" when the CSP will be turned on for a short period. This will allow
> projects to check which parts, if any, of their websites will stop working.
> The Privacy FAQ answers a number of questions about which external providers
> are permitted or not:
> * [https://privacy.apache.org/faq/committers.html]
> Thanks
> Niall
> [1] [https://privacy.apache.org/policies/website-policy.html]
> [2]
> [https://privacy.apache.org/faq/committers.html#can-i-use-google-analytics]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
