From 282a61537273e4d476d019cec3e90cb8769b24f7 Mon Sep 17 00:00:00 2001 From: Zhang Juntao Date: Sun, 25 Jan 2026 14:18:22 +0800 Subject: [PATCH 1/2] Refactor Content-Security-Policy in .htaccess Updated Content-Security-Policy to simplify directives and enhance security. --- .htaccess | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.htaccess b/.htaccess index 5785b041966b..2626cd4b6531 100644 --- a/.htaccess +++ b/.htaccess @@ -1,13 +1,17 @@ ErrorDocument 404 /404.html - Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; \ - frame-src 'self' https://www.youtube.com https://player.bilibili.com https://hcaptcha.com https://*.hcaptcha.com; \ - script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \ + Header always set Content-Security-Policy "default-src 'self'; \ + script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://js.hcaptcha.com https://*.hcaptcha.com; \ connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ - style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; \ - img-src 'self' data: https://hcaptcha.com https://*.hcaptcha.com; \ - frame-ancestors 'self'; \ + frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ + style-src 'self' 'unsafe-inline' https:; \ + img-src 'self' data: https:; \ + font-src 'self' data: https:; \ + media-src 'self' https:; \ object-src 'none'; \ + frame-ancestors 'self'; \ + base-uri 'self'; \ + form-action 'self'; \ upgrade-insecure-requests;" From 775e7f988c207745e00d2da4c06c081ab1f7a874 Mon Sep 17 00:00:00 2001 From: Zhang Juntao Date: Sun, 25 Jan 2026 15:17:20 +0800 Subject: [PATCH 2/2] update .htaccess --- .htaccess | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.htaccess b/.htaccess index 2626cd4b6531..6688f2aa0d75 100644 --- a/.htaccess +++ b/.htaccess @@ -2,7 +2,7 @@ ErrorDocument 404 /404.html Header always set Content-Security-Policy "default-src 'self'; \ - script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://js.hcaptcha.com https://*.hcaptcha.com; \ + script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \ frame-src 'self' https://www.youtube.com https://player.bilibili.com https://*.hcaptcha.com; \ style-src 'self' 'unsafe-inline' https:; \ @@ -11,7 +11,5 @@ ErrorDocument 404 /404.html media-src 'self' https:; \ object-src 'none'; \ frame-ancestors 'self'; \ - base-uri 'self'; \ - form-action 'self'; \ upgrade-insecure-requests;"