Skip to content

Fix .htaccess to enable hCaptcha #810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wu-sheng merged 1 commit into from
Jan 25, 2026
Merged

Fix .htaccess to enable hCaptcha #810

wu-sheng merged 1 commit into from
Jan 25, 2026

Conversation

@Jtrust
Copy link
Member

@Jtrust Jtrust commented Jan 25, 2026

No description provided.

@netlify
Copy link

netlify bot commented Jan 25, 2026
edited
Loading

Deploy Preview for skywalking-website-preview ready!

Name Link
🔨 Latest commit f35ddf4
🔍 Latest deploy log https://app.netlify.com/projects/skywalking-website-preview/deploys/69758c17b1c6100008ed9100
😎 Deploy Preview https://deploy-preview-810--skywalking-website-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Jtrust Jtrust requested review from Copilot and wu-sheng January 25, 2026 04:33
Copilot AI reviewed Jan 25, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the site’s Content Security Policy in .htaccess to allow hCaptcha resources to load and function correctly under CSP.

Changes:

  • Extends connect-src to include hCaptcha subdomains.
  • Adds explicit style-src and img-src directives permitting hCaptcha assets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.htaccess
frame-src 'self' https://www.youtube.com https://player.bilibili.com https://hcaptcha.com https://*.hcaptcha.com; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \
connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app; \
connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CSP, https://*.hcaptcha.com does not match the apex host https://hcaptcha.com. If hCaptcha makes XHR/fetch calls to https://hcaptcha.com (common for verification endpoints), they will still be blocked. Consider adding https://hcaptcha.com explicitly to connect-src alongside the wildcard.

Suggested change
connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://*.hcaptcha.com; \
connect-src 'self' https://*.algolianet.com https://*.algolia.net https://*.algolia.io https://api.github.com https://kapa-widget-proxy-la7dkmplpq-uc.a.run.app https://hcaptcha.com https://*.hcaptcha.com; \

Copilot uses AI. Check for mistakes.
@wu-sheng wu-sheng merged commit c9cf4d1 into master Jan 25, 2026
10 of 11 checks passed
@wu-sheng wu-sheng deleted the Jtrust-patch-1 branch January 25, 2026 04:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wu-sheng wu-sheng Awaiting requested review from wu-sheng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jtrust @wu-sheng