Fix CSP for OpenStreetMap tiles
This commit is contained in:
Ettore
@@ -89,7 +89,8 @@ async def _security_headers(request: Request, call_next) -> Response:
|
|||||||
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
|
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
|
||||||
response.headers["Content-Security-Policy"] = (
|
response.headers["Content-Security-Policy"] = (
|
||||||
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
|
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
|
||||||
" img-src 'self' data: blob: https://*.tile.openstreetmap.org"
|
" img-src 'self' data: blob: https://*.tile.openstreetmap.org;"
|
||||||
|
" connect-src 'self' https://*.tile.openstreetmap.org"
|
||||||
)
|
)
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|||||||
@@ -17,8 +17,9 @@ self.addEventListener("activate", event => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
self.addEventListener("fetch", event => {
|
self.addEventListener("fetch", event => {
|
||||||
// Let API calls always go to the network
|
// Let API calls and map tiles always go to the network
|
||||||
if (event.request.url.includes("/api/")) return;
|
if (event.request.url.includes("/api/")) return;
|
||||||
|
if (event.request.url.includes("tile.openstreetmap.org")) return;
|
||||||
|
|
||||||
// Navigation requests (page loads, QR code opens) must always hit the network
|
// Navigation requests (page loads, QR code opens) must always hit the network
|
||||||
// so query parameters like ?k=CODE are preserved for app.js
|
// so query parameters like ?k=CODE are preserved for app.js
|
||||||
|
|||||||
Reference in New Issue
Block a user