Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement support for strict Content-Security-Policy (MapLibre usage) #218

Open
the-gabe opened this issue Jun 17, 2024 · 4 comments
Open

Comments

@the-gabe
Copy link

the-gabe commented Jun 17, 2024

Describe the problem

Hello, currently when using this library with a Content-Security-Policy policy, users are forced to use worker-src blob: which is inherently unsafe due to it being functionally equivalent to unsafe-eval. This is due to the usage of maplibre-gl. This would be generally seen as a pretty notable hole in a deployed Content-Security-Policy.

Describe the proposed solution

maplibre-gl has a CSP variant of it's JS bundle, per: https://maplibre.org/maplibre-gl-js/docs/#csp-directives It would be greatly appreciated if support for this was implemented, as then a much more fine grained and significantly less vulnerable Content-Security-Policy can be leveraged.

Alternatives considered

No response

Additional Information

No response

@the-gabe
Copy link
Author

Please refer to https://w3c.github.io/webappsec-csp/#security-inherit-csp for additional details on this

@gavinr-maps
Copy link
Contributor

@the-gabe thank you for logging this issue. Could you please explain what your requested solution to this would be? Would it be a separate Esri Leaflet release file that's built using maplibre-gl-csp.js?

@the-gabe
Copy link
Author

the-gabe commented Jun 18, 2024

@gavinr-maps Yes that would be a good route forward I believe

@the-gabe
Copy link
Author

the-gabe commented Jun 19, 2024

An alternate way of doing this could be just using this by default or shipping both in the dist file, and letting users with strict CSP needs configure it as they wish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants