Bug #41160
closeddo not set Content-Security-Policy (CSP) headers for docs.ceph.com
0%
Description
sphinx uses inline style and javascript. and a modern browser supporting Content Security Policy refuses to load such kind of style and javascript if the HTTP header returned by webserver does not allow the browser to load resources from unlisted sources.
following is a response when accessing https://docs.ceph.com/ceph-prs/29544/search/?q=crimson
Response HTTP/1.1 200 OK Content-Type: text/html Content-Security-Policy: default-src 'self'; script-src 'self' Content-Encoding: gzip X-XSS-Protection: 1; mode=block Transfer-Encoding: Identity Date: Thu, 08 Aug 2019 11:32:47 GMT Connection: keep-alive X-Content-Type-Options: nosniff ETag: W/"5d4c07e0-186d" X-Frame-Options: SAMEORIGIN Last-Modified: Thu, 08 Aug 2019 11:30:40 GMT Server: nginx Strict-Transport-Security: max-age=31536000
so, it only allows "self" style sheets and javascripts loaded from the same place where the document is being loaded. because CSP uses a whitelist apporach. this setting literally prevent the browser from loading the inlined style and javascript. hence it hurts the functionality and user experience of accessing webpages rendered using the default sphinx template, which is not 100% CSP friendly.
if we keep this setting on the webserver, there is no way to override it. so i am wondering if we can change our nginx setting to remove the "Content-Security-Policy" settings or at least to add
<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'self';script-src 'unsafe-inline' 'self' http://ayni.ceph.com;script-src-elem 'unsafe-inline' 'self' http://ayni.ceph.com;style-src 'unsafe-inline' 'self' https://fonts.googleapis.com;style-src-elem 'unsafe-inline' 'self';font-src https://fonts.googleapis.com https://fonts.gstatic.com" />
but i am inclined to just drop it so we can add the settings programmatically.
the related PR is located at https://github.com/ceph/ceph/pull/29544