Open hjudge opened 6 years ago
jfirebaugh
commented
6 years ago A possible alternative is default-src blob:; script-src blob:;, but this is a somewhat more permissive (i.e. potentially less secure) configuration than the currently documented one. IMO we're better off keeping the current documentation and possible noting the browser support caveat. The browser warning is not a fatal error.
tstirrat15
commented
5 years ago Also, unsafe-eval is not required anymore, and you need both worker-src and child-src to get things working across all browsers, because if you have a stricter default-src, having only one of the two will cause some browsers to fail.
Speaking of, if you don't have child-src: blob:; in place and have a stricter default-src, safari fails completely silently (no console errors or warnings, no failed network requests) and the map completely refuses to load. Why is that? Is there a way that the failure can be made slightly more legible?
ryanhamley
commented
4 years ago https://github.com/mapbox/help/pull/2380 removes the outdated documentation from https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/#csp-directives so there's less confusion about unsafe-eval.
unfortunately, as of this writing, worker-src is still not supported in Safari or Edge so customers will need to continue using child-src in order to ensure those browsers work as expected
Capturing that https://www.mapbox.com/mapbox-gl-js/api/#csp-directives should be updated.
The
child-srcdirective is recommended, but it is deprecated and yields a warning when used in chrome and firefox. The replacement for it isworker-src, which is not yet supported by safari and yields an error for safari.cc @mapbox/docs