API docs on polaris.apache.org are broken

[collado-mike]

Describe the bug

API docs generated from the specs are broken on the apache site: https://polaris.apache.org/in-dev/unreleased/rest-catalog-open-api/ . Currently, they don't load at all, but previously when they did load, the links to various APIs didn't work at all.

To Reproduce

Go to https://polaris.apache.org/in-dev/unreleased/rest-catalog-open-api/

Actual Behavior

No response

Expected Behavior

No response

Additional context

No response

System information

No response

[HonahX]

Thanks @collado-mike ! I also discovered the same. Initially I thought it was due to my recent change: #935, but the site sill breaks even after it is reverted: #942

The current error is:

Refused to load the script 'https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

[singhpk234]

Adding

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js">

fixes this, tested locally, got this from the following SO thread,
https://stackoverflow.com/a/37308542

Happy to create a PR if no one else is working on it !

Side note : Not sure how it worked before

[HonahX]

@singhpk234 Thanks for the solution! Just curious, how do you reproduce the issue locally. My local build works fine even without the added meta

[singhpk234]

@HonahX thank you for your question !

as you will see the default CSP policy which is getting applied when rendering https://polaris.apache.org/in-dev/unreleased/rest-catalog-open-api/

is

"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/"

which our current script violate (Note this doesn't get applied to developement env), to replicate this
please go to hugo.yaml and add this to the end before rendering your websire

server:
  headers:
    for: /**
    values:
      Content-Security-Policy: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/"

To mitigate this add this policy

server:
  headers:
    for: /**
    values:
      Content-Security-Policy: >2
            script-src 'self' https://cdn.jsdelivr.net 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://cdn.jsdelivr.net

P.S Not an expert in this area :P, please take this with a grain of salt !

[collado-mike]

@singhpk234 awesome, thanks for finding the solution. If you haven't already, please open a PR 🙏🏽

[sfc-gh-ygu]

It is still broken for me after #944. Can you confirm from your side?

[HonahX]

It is also broken for me. I did some search in ASF infra and found that there is a recent update (INFRA ticket on the Content Security Policy.) Specifically, the change enforcing the following rule

4) Using Assets from other Domains
Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from other domains cannot be loaded. All assets need to be hosted on ASF servers.

as documented at https://privacy.apache.org/policies/website-policy.html

It seems the shortcode we are using for rendering API docs,

polaris/site/layouts/shortcodes/redoc-polaris.html

Line 118 in 20817e1

<script src="https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js"></script>

falls into the above category and therefore gets banned.

I think a quick solution will be to redirect API docs to a swagger editor like what Iceberg site does for IRC spec:
https://github.com/apache/iceberg/blob/585a338c1e9d287476462e3a6abab40b8803fc2c/site/nav.yml#L45

Please correct me if I misunderstand anything :)

[singhpk234]

Yes that understanding is correct! I was able to come at the same conclusion as the give HUGO changes for serving the static contents we create is not coming into effect. It works in local as we i,e local server is serving those static contents.
Seems like ASF had same static serving infra which doesn't allows these cross domain serving

Though this part is tricky as they do say .htaccess can be overriden if we can do that we can override the headers ? If thats true may be then we can modify CSP policy
https://infra.apache.org/project-site.html

I think a quick solution will be to redirect API docs to a swagger editor like what Iceberg site does for IRC spec:

Agree with you, here is the pr for the fix #950 it redirects to yaml
handled it in a way that solves both the yaml rendering

Thank you for digging this up @HonahX definitely learned something today about ASF hosting !

[flyrain]

It works now. Thanks @collado-mike, @singhpk234 and @HonahX for the investigation and fix!