Fix CSP violations blocking jQuery, fonts, and search on production site#165
Fix CSP violations blocking jQuery, fonts, and search on production site#165vinooganesh wants to merge 2 commits intoapache:productionfrom
Conversation
alamb
left a comment
alamb
left a comment
There was a problem hiding this comment.
Thank you for this @vinooganesh
I am not sure about some of these changes -- maybe we can break them into separate PRs so we can merge the non controversial stuff (like disabling google fonts and removing the body-end and head-end partials)
And then we can have another PR discussion about jquery
| @@ -0,0 +1,43 @@ | |||
| {{/* cSpell:ignore docsearch opengraph outputformat */ -}} | |||
There was a problem hiding this comment.
Can we add some comments to this file explaining what it does / is used for?
| }, | ||
| }; | ||
| </script> | ||
| <script src="https://cdn.jsdelivr.net/npm/markmap-autoloader"></script> |
There was a problem hiding this comment.
Do we also need to vendor this URL?
|
|
||
| # Enable Lunr.js offline search | ||
| offlineSearch = false | ||
| offlineSearch = true |
There was a problem hiding this comment.
How does the Lunr.js search work? I loaded this page locally and it seems like it still tries to use algolia
| $primary: #56a4ed | ||
| $primary: #56a4ed; | ||
|
|
||
| // Disable Google Fonts to comply with apache.org Content Security Policy |
There was a problem hiding this comment.
Maybe we can create a separate PR just for this change
| @@ -0,0 +1,2 @@ | |||
| /*! jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license */ | |||
There was a problem hiding this comment.
I do wonder why we need jquery -- the current site looks ok without it 🤔
- Add explanatory comments to head.html and scripts.html overrides - Remove markmap-autoloader CDN block from scripts.html (not enabled, blocked by CSP) - Fix scripts.html formatting that was mangled by an auto-formatter - Bump offlineSearchMaxResults to 25 and offlineSearchSummaryLength to 200
|
Good call @alamb ! I'll split these into separate PRs |
2 participants
Closes #163
The production site at parquet.apache.org is served behind Apache's Content Security Policy, which blocks resources from external CDNs. This causes broken styling,
jQuery is not definederrors, and completely non-functional search on the live site, even though everything works fine in local dev.This PR eliminates all external resource dependencies so the site works identically in both environments.
What was broken
code.jquery.com/jquery-3.7.1.min.jsjQuery is not defined— breaks all JS functionalityfonts.googleapis.com/css?family=Open+Sanscdn.jsdelivr.net/npm/@docsearch/css@3.8.2cdn.jsdelivr.net/npm/@docsearch/js@3.8.2docsearch is not defined— search completely brokenWhat this PR does
Vendor jQuery locally (originally @alamb 's idea, h/t to him) - Downloaded
jquery-3.7.1.min.jstostatic/js/and created a project-level override of Docsy'shead.htmlpartial to load it from there instead of the CDN. Same version, just self-hosted.Replace Algolia DocSearch with Lunr offline search - Algolia was doubly broken: blocked by CSP and the API keys were removed in a prior commit. Switched to Docsy's built-in Lunr search which is fully client-side with no external dependencies. Also bumped max results to 25 and excerpt length to 200 chars for better usability.
Disable Google Fonts - Set
$td-enable-google-fonts: falseso the site uses Bootstrap's system font stack instead of trying to fetch Open Sans from Google. Fonts render immediately with no network request.Files changed
hugo.toml- Enable offline search, remove Algolia configassets/scss/_variables_project.scss- Disable Google Fontslayouts/partials/head.html(new) - Override Docsy's head to load jQuery and Lunr locallylayouts/partials/scripts.html(new) - Override Docsy's scripts to remove Algolia JSlayouts/partials/hooks/head-end.html- Remove Algolia CSS hooklayouts/partials/hooks/body-end.html- Remove Algolia JS hookstatic/js/jquery-3.7.1.min.js(new) - Vendored jQuerystatic/js/lunr-2.3.9.min.js(new) - Vendored LunrHow I verified
Andrew mentioned he wanted to make sure dev matched prod - I built the site from the clean production branch (before) and confirmed all 4 external CDN references are present. Built again with these changes (after) and confirmed zero external resource loads remain. The dev server serves all JS, CSS, and the search index locally, and search returns results.
Also, no Docsy version changes here, stays on v0.12.0.