From 66342a4e699ee246c82e7e7a4dc0709961202b4d Mon Sep 17 00:00:00 2001
From: Nic Crane <thisisnic@gmail.com>
Date: Wed, 29 Oct 2025 08:03:17 +0000
Subject: [PATCH 1/2] Update .htaccess

---
 .htaccess | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.htaccess b/.htaccess
index 806280f76841..319e05cbf5d5 100644
--- a/.htaccess
+++ b/.htaccess
@@ -25,8 +25,13 @@ Redirect permanent /datafusion-python https://datafusion.apache.org/python
 # redirect all ballista URLs to new website
 Redirect permanent /ballista https://datafusion.apache.org/ballista
 
-# enable kapa.ai bot (GH-45665)
-# See https://docs.kapa.ai/integrations/understanding-csp-cors and https://issues.apache.org/jira/browse/INFRA-26638
-<IfModule mod_headers.c>
-    Header set Content-Security-Policy "default-src 'self' data: blob: 'unsafe-inline' https://www.apachecon.com/ https://www.communityovercode.org/ https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/; script-src-elem 'self' 'unsafe-inline' https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://analytics.apache.org/ https://widget.kapa.ai/; style-src 'self' 'unsafe-inline' https://*.kapa.ai/ data:; frame-ancestors 'self'; frame-src 'self' data: blob: https://www.google.com/ https://www.recaptcha.net/; connect-src 'self' https://analytics.apache.org proxy.kapa.ai kapa-widget-proxy-la7.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai www.google.com recaptcha.net; img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/ https://*.kapa.ai/ https://www.google.com https://*.gstatic.com/; worker-src 'self' data: blob:;"
-</IfModule>
+# Content-Security-Policy exceptions for kapa.ai bot and reCAPTCHA
+# See https://infra.apache.org/tools/csp.html for information on adding CSP exceptions
+#
+# kapa.ai bot integration: Approved in https://issues.apache.org/jira/browse/INFRA-26638
+# Domains required for kapa.ai widget functionality
+#
+# Google reCAPTCHA: Required for anti-spam protection on Apache event sites
+#
+# Apache community event sites: www.apachecon.com and www.communityovercode.org
+SetEnv CSP_PROJECT_DOMAINS "https://*.kapa.ai/ https://widget.kapa.ai/ https://proxy.kapa.ai/ https://kapa-widget-proxy-la7.kapa.ai/ https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app/ https://metrics.kapa.ai/ https://www.gstatic.com/ https://www.google.com/ https://www.recaptcha.net/ https://recaptcha.net/ https://www.apachecon.com/ https://www.communityovercode.org/"

From c4f45e7bd6aed6f191049ffbbaffd27c36105103 Mon Sep 17 00:00:00 2001
From: Nic Crane <thisisnic@gmail.com>
Date: Wed, 29 Oct 2025 08:09:08 +0000
Subject: [PATCH 2/2] Remove extra comments

---
 .htaccess | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/.htaccess b/.htaccess
index 319e05cbf5d5..2608897a04c5 100644
--- a/.htaccess
+++ b/.htaccess
@@ -25,13 +25,6 @@ Redirect permanent /datafusion-python https://datafusion.apache.org/python
 # redirect all ballista URLs to new website
 Redirect permanent /ballista https://datafusion.apache.org/ballista
 
-# Content-Security-Policy exceptions for kapa.ai bot and reCAPTCHA
-# See https://infra.apache.org/tools/csp.html for information on adding CSP exceptions
-#
-# kapa.ai bot integration: Approved in https://issues.apache.org/jira/browse/INFRA-26638
-# Domains required for kapa.ai widget functionality
-#
-# Google reCAPTCHA: Required for anti-spam protection on Apache event sites
-#
-# Apache community event sites: www.apachecon.com and www.communityovercode.org
+# Content-Security-Policy exceptions (see https://infra.apache.org/tools/csp.html)
+# kapa.ai domains approved in https://issues.apache.org/jira/browse/INFRA-26638
 SetEnv CSP_PROJECT_DOMAINS "https://*.kapa.ai/ https://widget.kapa.ai/ https://proxy.kapa.ai/ https://kapa-widget-proxy-la7.kapa.ai/ https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app/ https://metrics.kapa.ai/ https://www.gstatic.com/ https://www.google.com/ https://www.recaptcha.net/ https://recaptcha.net/ https://www.apachecon.com/ https://www.communityovercode.org/"