[Docs] Kapa.ai widget not loading on the dev docs

[thisisnic]

Describe the bug, including details regarding any error messages, version, and platform.

Last week we merged a PR to add an "ask AI" widget to the docs, but when looking at the dev docs site, it isn't loading correctly. It appears to be permissions-related.

In the R docs, developer tools show:

Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at https://widget.kapa.ai/kapa-widget.bundle.js from being executed because it violates the following directive: “script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/” [index.html](https://arrow.apache.org/docs/dev/r/index.html)
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://www.r-pkg.org/badges/version-last-release/arrow because it violates the following directive: “img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/” [index.html](https://arrow.apache.org/docs/dev/r/index.html)
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://github.com/apache/arrow/workflows/R/badge.svg?event=push because it violates the following directive: “img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/” [index.html](https://arrow.apache.org/docs/dev/r/index.html)
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://apache.r-universe.dev/badges/arrow because it violates the following directive: “img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/” [index.html](https://arrow.apache.org/docs/dev/r/index.html)
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://img.shields.io/conda/vn/conda-forge/r-arrow.svg because it violates the following directive: “img-src 'self' data: https://*.apache.org/ https://www.apachecon.com/”

On the main docs:

Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at https://widget.kapa.ai/kapa-widget.bundle.js from being executed because it violates the following directive: “script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/ https://www.apachecon.com/”

In the privacy docs it says that we should have user consent before loading, but I did activate this.

It works fine on the PR preview: http://crossbow.voltrondata.com/pr_docs/45667

Will investigate further later unless anyone else has any ideas!

Component(s)

Documentation

[dvdksn]

Hey, it sounds like you need to whitelist Kapa domains in the site's CSP policy. The HTTP response needs to allow the domains listed here: https://docs.kapa.ai/integrations/understanding-csp-cors#configuring-csp-for-kapa