You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, currently when using this library with a Content-Security-Policy policy, users are forced to use worker-src blob: which is inherently unsafe due to it being functionally equivalent to unsafe-eval. This is due to the usage of maplibre-gl. This would be generally seen as a pretty notable hole in a deployed Content-Security-Policy.
Describe the proposed solution
maplibre-gl has a CSP variant of it's JS bundle, per: https://maplibre.org/maplibre-gl-js/docs/#csp-directives It would be greatly appreciated if support for this was implemented, as then a much more fine grained and significantly less vulnerable Content-Security-Policy can be leveraged.
Alternatives considered
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered:
@the-gabe thank you for logging this issue. Could you please explain what your requested solution to this would be? Would it be a separate Esri Leaflet release file that's built using maplibre-gl-csp.js?
An alternate way of doing this could be just using this by default or shipping both in the dist file, and letting users with strict CSP needs configure it as they wish.
Describe the problem
Hello, currently when using this library with a Content-Security-Policy policy, users are forced to use
worker-src blob:
which is inherently unsafe due to it being functionally equivalent tounsafe-eval
. This is due to the usage of maplibre-gl. This would be generally seen as a pretty notable hole in a deployed Content-Security-Policy.Describe the proposed solution
maplibre-gl has a CSP variant of it's JS bundle, per: https://maplibre.org/maplibre-gl-js/docs/#csp-directives It would be greatly appreciated if support for this was implemented, as then a much more fine grained and significantly less vulnerable Content-Security-Policy can be leveraged.
Alternatives considered
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered: