[Website] Fix Content-Security-Policy header configuration

[thisisnic]

Switches from directly setting the Content-Security-Policy header to using Apache Infra's recommended SetEnv CSP_PROJECT_DOMAINS approach. This resolves issue #723 by adding CSP exceptions rather than overriding the entire header.

Approval: https://issues.apache.org/jira/browse/INFRA-26638

We should test this when we merge it in case it breaks anything, as per previous updates with this.

[github-actions]

Preview URL: https://thisisnic.github.io/arrow-site

If the preview URL doesn't work, you may forget to configure your fork repository for preview.
See https://github.com/apache/arrow-site/blob/main/README.md#forks how to configure.

[sebbASF]

There is no need to add https://proxy.kapa.ai/ etc as they are included in https://*.kapa.ai/
communityovercode is in the default setting, so no need for that either.

Also, INFRA-26638 only relates to kapa.ai; you need to get approval before adding any other exceptions.

[thisisnic]

Thanks @sebbASF - where can I find out which ones are included as the default so I can check the others?

[sebbASF]

The default is currently:

default-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

script-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

style-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

frame-ancestors 'self';

frame-src 'self' data: blob: 'unsafe-inline' 'unsafe-eval' https://www.apachecon.com/ https://www.communityovercode.org/ https://.apache.org/ https://apache.org/ https://.scarf.sh/ ;

worker-src 'self' data: blob:;

[I've added extra line-breaks to make it clearer]

I don't think this is documented anywhere (yet), but can be found by checking any site that does not use an override.
For example whimsy.a.o

$ curl -fsSIL https://whimsy.apache.org | grep -i 'policy'

[sebbASF]

You don't need https://xxxetc.kapa.ai/ as that is covered by https://*.kapa.ai/
Also note that there are specific requirements for kapa.ai:
https://privacy.apache.org/faq/committers.html#can-i-use-kapaai-on-our-website-answer-machine

https://www.apachecon.com/ and https://www.communityovercode.org/ are covered in the default CSP

The other hosts need approval from privacy before they can be used.