Closed raboof closed 7 months ago
ebarboni
commented
8 months ago Would be nice for tests the htaccess here and maybe add later some explanation. I didn't succeed to override/merge/add a CSP on netbeans.apache.org and let the default for now, seems tricky to be right. I'm unsure on how to check this server side and client side. (to know what's effective policy is in action)
raboof
commented
8 months ago Would be nice for tests the htaccess here and maybe add later some explanation.
Agreed!
I didn't succeed to override/merge/add a CSP on netbeans.apache.org and let the default for now, seems tricky to be right. I'm unsure on how to check this server side and client side. (to know what's effective policy is in action)
merge/add indeed don't seem to be working, but a Header set Content-Security-Policy seemed to be working for me (though I haven't fully tested yet...).
The YouTube embedding examples on https://privacy.apache.org/examples/youtube-html/with-youtube-embeds.html and https://privacy.apache.org/examples/youtube-html/with-youtube-api.html currently do not work because the recently-introduced default Content-Security-Policy of
frame-src 'self'forbids it.Might be a nice opportunity to show how to use .htaccess to selectively enable it only for the https://privacy.apache.org/examples/youtube-html prefix?