KAFKA-19835: The Content-Security-Policy header must not be overridden

[brandboat]

The Content-Security-Policy header must not be overridden.
There is now a standard way to add local exceptions to the CSP:
https://infra.apache.org/tools/csp.html

[brandboat]

quickstart local dev env screenshot:

[sebbASF]

Note that the .htaccess file needs to document why the override is allowed.

[brandboat]

@sebbASF, thanks for the comment! The reason we add youtube here is due to we use embedded youtube videos in QuickStart, KafkaStreams page, see https://kafka.apache.org/quickstart, https://kafka.apache.org/documentation/streams/
Without this, browsers will block these iframes and videos won't display.

[sebbASF]

Your explanation covers why the override is needed.
However it does not cover why the override is allowed.
According to https://infra.apache.org/tools/csp.html

"Each additional host you add MUST have been pre-approved by VP Data Privacy ([email protected]), and SHOULD have an accompanying comment in the .htaccess file explaining why the CSP is changed and where permission was obtained."

[brandboat]

Each additional host you add MUST have been pre-approved by VP Data Privacy ([email protected])

@sebbASF, thanks again for the comment! Could you please explain how this approval process is supposed to be done?
I don’t seem to have access to the email threads at [email protected], so I’m wondering whether this step needs to be handled by an Apache member or a project lead.
Sorry if this is a basic question — I’m just a casual contributor and not very familiar with the internal process. c.c. @chia7712

[sebbASF]

Such questions should be directed to the Kafka PMC in the first instance