fix(website): Use standard method for CSP frame-src exceptions (#36653)

liferoad · web-flow · commit b2960c9db3e0 · 2025-10-28T13:22:06.000-07:00
The method for allowing specific domains in iframes has been updated to align with Apache Infra's recommended practices.

Instead of directly setting the Content-Security-Policy header, this change uses the `SetEnv CSP_PROJECT_DOMAINS` directive. This is the standard way to add local exceptions, ensuring they are correctly merged with the global CSP managed by Apache Infra.

This change maintains the existing permissions for embedding content from Beam Playground, YouTube, and Google Drive.
diff --git a/website/www/site/static/.htaccess b/website/www/site/static/.htaccess
@@ -27,4 +27,6 @@ RedirectMatch "/contribute/release-guide" "https://github.com/apache/beam/blob/m
 
 RedirectMatch "/contribute/committer-guide" "https://github.com/apache/beam/blob/master/contributor-docs/committer-guide.md"
 
-Header set Content-Security-Policy "frame-src 'self' https://play.beam.apache.org/ https://www.youtube.com/ https://drive.google.com/ ;"
+# Allow embedding content from play.beam.apache.org, youtube.com and drive.google.com
+# This is the standard way to add local exceptions to the CSP, see https://infra.apache.org/tools/csp.html
+SetEnv CSP_PROJECT_DOMAINS "https://play.beam.apache.org/ https://www.youtube.com/ https://drive.google.com/"
