[website] Allow Kapa AI Widget Resources on Fluss Website#3209
[website] Allow Kapa AI Widget Resources on Fluss Website#3209Kaixuan-Duan wants to merge 2 commits intoapache:mainfrom
Conversation
Fixes apache#3206 The "Ask AI" button on https://fluss.apache.org/ relies on the Kapa AI widget, but the ASF infra default Content-Security-Policy blocks all of its resources, so the widget never loads. This change adds the domains the widget actually contacts to the CSP_PROJECT_DOMAINS allowlist in website/.htaccess (which the ASF infra-side httpd config injects into default-src / script-src / style-src / frame-src): * https://*.kapa.ai/ - widget bundle and assets (widget.kapa.ai) * https://www.google.com/recaptcha/ - Google reCAPTCHA Enterprise, * https://www.gstatic.com/recaptcha/ loaded by the widget for anti-bot verification of feedback submissions * https://*.a.run.app - Kapa chat-stream backend proxy, hosted on Google Cloud Run (kapa-widget-proxy-*.a.run.app) Locally verified with a meta-CSP-equivalent test page (target/kapa-test.html served over http://localhost): the widget bundle loads, reCAPTCHA Enterprise loads, and the chat-stream proxy request is no longer blocked by CSP.
binary-signal
left a comment
binary-signal
left a comment
There was a problem hiding this comment.
what's this domain is needed for https://*.a.run.app looks suspicious
|
Fair concern. |
|
@wuchong @MehulBatra can you take a look? or should we revert #3209 first and coordinate with the security team as Jark pointed out? |
|
@binary-signal @polyzos thanks for pushing back on this — you were right to flag the wildcards, and I'm sorry for the noise of the first revision. Kapa publishes an official CSP guide listing the exact hosts the widget needs: https://docs.kapa.ai/integrations/faq#how-do-i-fix-csp-errors I cross-checked the bundle's runtime hosts against that list — they match exactly. The wildcards ( PR description updated. Could you take another look when you have a moment? Happy to tighten further if anything still looks off. |
|
Hi @Kaixuan-Duan thank you for the great work, but due to certain policies we cannot enable the third party AI agent on fluss website, I am working on getting that resolved, for the time being I am going to close this, we can get back to this later. |
4 participants
Purpose
Linked issue: close #3206
Brief change log
website/.htaccess: append toCSP_PROJECT_DOMAINSonly the precise hosts listed in Kapa's documentation(https://docs.kapa.ai/integrations/faq#how-do-i-fix-csp-errors), plus the two reCAPTCHA hosts the widget loads at runtime:
https://widget.kapa.aikapa-widget.bundle.js)https://proxy.kapa.aihttps://kapa-widget-proxy-la7dkmplpq-uc.a.run.apphttps://metrics.kapa.aihttps://www.google.com/recaptcha/https://www.gstatic.com/recaptcha/recaptcha__<lang>.js)curl enterprise.js(loaded transitively)https://hcaptcha.comhttps://*.hcaptcha.comNo cross-tenant wildcard is used.
Tests
This is an
.htaccess-only change with no executable code path, so there is nothing to add to the JUnit suite.API and Format
No. Website / CSP configuration only.
Documentation
No. User-visible behavior is that the existing "Ask AI" button starts working.