Skip to content

fix: Self-host all external website dependencies#1197

Merged
NightOwl888 merged 3 commits into
apache:masterfrom
mmafrar:issue/1185
Oct 10, 2025
Merged

fix: Self-host all external website dependencies#1197
NightOwl888 merged 3 commits into
apache:masterfrom
mmafrar:issue/1185

Conversation

@mmafrar

@mmafrar mmafrar commented Oct 2, 2025

Copy link
Copy Markdown
Contributor
  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • There's an open issue for the PR that you are making. If you'd like to propose a change, please open an issue to discuss the change or find an existing issue.

Fix CSP violations by self-hosting external resources

See #1185 (this only does the fonts, we still have the book images to do, but require permission to host them).

Description

External stylesheets and images from domains like cdnjs.cloudflare.com, fonts.googleapis.com, and images-na.ssl-images-amazon.com were blocked due to restrictive Content Security Policy (CSP). All dependencies are now self-hosted to comply with the site's CSP configuration.

@mmafrar mmafrar marked this pull request as ready for review October 2, 2025 01:44
@NightOwl888

Copy link
Copy Markdown
Contributor

@mmafrar

Thanks for the PR.

While we do want to host these files on our website (which we do when we deploy the built site to https://github.com/apache/lucenenet-site, which backs our hosting), we ideally wouldn't be committing the binary files to this repository. Rather, we should have the build scripts download them prior to deploying.

Ideally, we would set up some sort of package manager such as npm, bower, etc. to download the versioned packages such as font-awesome to make this process simpler.

The build scripts are named site.ps1 and docs.ps1 as referred to in the website & docs documentation, which also describes how we deploy the website and docs site.

Let us know if you need any assistance with any of this (for example if you are unfamiliar with package managers or powershell), and we will do our best to assist.

@mmafrar

mmafrar commented Oct 3, 2025

Copy link
Copy Markdown
Contributor Author

@NightOwl888 I initially assumed that binary files should be committed to the repository, as the issue description didn’t clearly specify otherwise. I’ll investigate the correct approach and work on implementing it. If I encounter any blockers or am unable to proceed, I’ll reach out for guidance.

@NightOwl888

Copy link
Copy Markdown
Contributor

@mmafrar

I understand your frustration. Often when we scope issues, we don't have all of the requirements (or don't consider all of them) at the time the issue is created. #1185 focused on the Apache policy requirements, not on the technical or legal concerns of our setup.

I reviewed this and it seems there is a precedent for how to deal with binary files without committing them to this repo. We host those directly on https://github.com/apache/lucenenet-site and then use absolute URLs to link to them (so they will always appear when building locally).

So, the simplest solution is to open a PR on that repository so we can move the files there. Once the files are there, they will be available at the https://lucenenet.apache.org/ URL (in the same directory structure as the repo). This means you will get credit for 2 separate PRs just for fixing this one issue.

NOTE: For now, we can forgo the package manager option that I mentioned earlier for the sake of expediency.

Legal Concerns

AFAIK, we don't have legal permission to host the book images on our website. So, for now, let's leave this out of this fix and continue linking to the broken images until we get that worked out. Unfortunately, there are sometimes conflicting requirements like these that require more time to get through than what should be a "simple" fix, but there is no reason to penalize you for that.

If you wish to help us navigate this, then please do by all means. However, it doesn't seem fair to add this as a requirement for this task after you have already submitted a PR.

So, when this PR is completed, either we should keep #1185 open to deal with the book images separately, or we should tag this PR with hacktoberfest-accepted so you get the credit and then update this PR after we work out the legal issues with the book images.

Conclusion

So, to finish up this task:

  1. Fork the asf-site branch of https://github.com/apache/lucenenet-site
  2. Clone the fork locally
  3. Check out the asf-site branch
  4. Create a branch based off of the asf-site branch for your PR
  5. Copy the font files into the fonts/ directory
  6. Push your local branch to your fork and open a PR at https://github.com/apache/lucenenet-site/pulls
  7. Wait for us to review and accept the PR
  8. Remove the binary files from this branch (all images and fonts)
  9. Change the links to the images back to the originals
  10. Change the links to the font files to use https://github.com/apache/lucenenet-site/fonts
  11. Fixup any additional things that may be broken by having the files hosted in 2 different places
  12. Let us know when it is ready for review

Please keep any .js and .css files in this repository, as it will make deployment simpler if we do it manually.

NOTE: I don't know for certain whether all references to the font files can be updated without changing 3rd party .css or .js files. Ideally, we wouldn't change 3rd party files, but patch them by adding additional .css or .js files to update these references. Let us know if you run into any snags.

@mmafrar

mmafrar commented Oct 4, 2025

Copy link
Copy Markdown
Contributor Author

@NightOwl888 Is the https://github.com/apache/lucenenet-site repository intentionally unlicensed?

@NightOwl888

NightOwl888 commented Oct 4, 2025

Copy link
Copy Markdown
Contributor

@NightOwl888 Is the https://github.com/apache/lucenenet-site repository intentionally unlicensed?

Good point. You are right, it should have a LICENSE.txt file in the master branch.

If you are so inclined, you may submit a PR. Use the license file from here: https://github.com/apache/lucenenet-codeanalysis-dev/blob/main/LICENSE.txt, but change the beginning of the date range to 2020.

@NightOwl888 NightOwl888 added the notes:website-or-documentation Documentation or website changes label Oct 4, 2025
@NightOwl888 NightOwl888 added the hacktoberfest-accepted PR is approved for Hacktoberfest even if not merged label Oct 4, 2025
@mmafrar

mmafrar commented Oct 4, 2025

Copy link
Copy Markdown
Contributor Author

@NightOwl888 Is the https://github.com/apache/lucenenet-site repository intentionally unlicensed?

Good point. You are right, it should have a LICENSE.txt file in the master branch.

If you are so inclined, you may submit a PR. Use the license file from here: https://github.com/apache/lucenenet-codeanalysis-dev/blob/main/LICENSE.txt, but change the beginning of the date range to 2020.

@NightOwl888 Here is the link: apache/lucenenet-site#57

@NightOwl888 NightOwl888 merged commit 5b48701 into apache:master Oct 10, 2025
1 check passed
@mmafrar mmafrar deleted the issue/1185 branch October 11, 2025 01:10
asf-gitbox-commits pushed a commit that referenced this pull request Oct 31, 2025
* fix: Self-host all external website dependencies

* fix: Resolve CSP violations by self-hosting fonts

* fix: Revert images and update fonts to refer lucenenet-site
paulirwin pushed a commit to paulirwin/lucene.net that referenced this pull request Jun 16, 2026
* fix: Self-host all external website dependencies

* fix: Resolve CSP violations by self-hosting fonts

* fix: Revert images and update fonts to refer lucenenet-site
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

hacktoberfest-accepted PR is approved for Hacktoberfest even if not merged notes:website-or-documentation Documentation or website changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants