Improve CSP directive (#944)

YongGoose · web-flow · commit 0f05dead22d7 · 2025-02-01T20:51:44.000+01:00
* Remove duplicate url from script-src

* Add tile.openstreetmap.org to directive
diff --git a/baremaps-server/src/main/resources/dem/index.html b/baremaps-server/src/main/resources/dem/index.html
@@ -22,8 +22,8 @@
     <meta charset='utf-8'>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
-    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
+    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org https://tile.openstreetmap.org;
+    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
     worker-src 'self' blob:;
     child-src 'self' blob:;
     img-src 'self' data: blob: http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
diff --git a/baremaps-server/src/main/resources/static/server.html b/baremaps-server/src/main/resources/static/server.html
@@ -18,8 +18,8 @@
 <html lang="en">
 <head>
   <meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
-    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
+    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org https://tile.openstreetmap.org;
+    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
     worker-src 'self' blob:;
     child-src 'self' blob:;
     img-src 'self' data: blob: http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
diff --git a/baremaps-server/src/main/resources/static/viewer.html b/baremaps-server/src/main/resources/static/viewer.html
@@ -18,8 +18,8 @@
 <html lang="en">
 <head>
   <meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
-    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
+    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org https://tile.openstreetmap.org;
+    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
     worker-src 'self' blob:;
     child-src 'self' blob:;
     img-src 'self' data: blob: http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
diff --git a/basemap/index.html b/basemap/index.html
@@ -18,8 +18,8 @@
 <html lang="en">
 <head>
   <meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
-    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
+    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org https://tile.openstreetmap.org;
+    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
     worker-src 'self' blob:;
     child-src 'self' blob:;
     img-src 'self' data: blob: http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
diff --git a/examples/openstreetmap/index.html b/examples/openstreetmap/index.html
@@ -18,8 +18,8 @@
 <html lang="en">
 <head>
   <meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
-    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
+    default-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org https://tile.openstreetmap.org;
+    script-src 'self' http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org 'unsafe-inline';
     worker-src 'self' blob:;
     child-src 'self' blob:;
     img-src 'self' data: blob: http://127.0.0.1:* http://localhost:* https://unpkg.com https://baremaps.apache.org;
