Open hjudge opened 6 years ago
A possible alternative is default-src blob:; script-src blob:;
, but this is a somewhat more permissive (i.e. potentially less secure) configuration than the currently documented one. IMO we're better off keeping the current documentation and possible noting the browser support caveat. The browser warning is not a fatal error.
Also, unsafe-eval
is not required anymore, and you need both worker-src
and child-src
to get things working across all browsers, because if you have a stricter default-src
, having only one of the two will cause some browsers to fail.
Speaking of, if you don't have child-src: blob:;
in place and have a stricter default-src
, safari fails completely silently (no console errors or warnings, no failed network requests) and the map completely refuses to load. Why is that? Is there a way that the failure can be made slightly more legible?
https://github.com/mapbox/help/pull/2380 removes the outdated documentation from https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/#csp-directives so there's less confusion about unsafe-eval
.
unfortunately, as of this writing, worker-src
is still not supported in Safari or Edge so customers will need to continue using child-src
in order to ensure those browsers work as expected
Capturing that https://www.mapbox.com/mapbox-gl-js/api/#csp-directives should be updated.
The
child-src
directive is recommended, but it is deprecated and yields a warning when used in chrome and firefox. The replacement for it isworker-src
, which is not yet supported by safari and yields an error for safari.cc @mapbox/docs