From 441a9a5ed9e5b6a37356e0f15967f66799419572 Mon Sep 17 00:00:00 2001
From: Pieter Vander Vennet <pietervdvn@posteo.net>
Date: Wed, 7 Feb 2024 17:23:12 +0100
Subject: [PATCH] Fix: properly add 'self' to connect-src

---
 scripts/generateLayouts.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/generateLayouts.ts b/scripts/generateLayouts.ts
index 3bdcfaee5..9f20ce196 100644
--- a/scripts/generateLayouts.ts
+++ b/scripts/generateLayouts.ts
@@ -306,7 +306,7 @@ async function generateCsp(
     }
 
     const geojsonSources: string[] = layout.layers.map((l) => l.source?.geojsonSource)
-    const hosts = new Set<string>("self")
+    const hosts = new Set<string>()
     const eliLayers: RasterLayerPolygon[] = AvailableRasterLayers.layersAvailableAt(
         new ImmutableStore({ lon: 0, lat: 0 })
     ).data
@@ -350,7 +350,7 @@ async function generateCsp(
         "default-src": "'self'",
         "child-src": "'self' blob: ",
         "img-src": "* data:", // maplibre depends on 'data:' to load
-        "connect-src": connectSrc.join(" "),
+        "connect-src": "self "+connectSrc.join(" "),
         "report-to": "https://report.mapcomplete.org/csp",
         "worker-src": "'self' blob:", // Vite somehow loads the worker via a 'blob'
         "style-src": "'self' 'unsafe-inline'", // unsafe-inline is needed to change the default background pin colours