Fix: properly add 'self' to connect-src (take 2)

2024-02-07 18:02:35 +01:00 · 2024-02-07 18:02:35 +01:00 · c823e745a3
commit c823e745a3
parent 441a9a5ed9
1 changed files with 1 additions and 2 deletions
--- a/scripts/generateLayouts.ts
+++ b/scripts/generateLayouts.ts
@ -273,7 +273,6 @@ async function generateCsp(
    }
 ): Promise<string> {
    const apiUrls: string[] = [
-        "'self'",
        ...Constants.defaultOverpassUrls,
        Constants.countryCoderEndpoint,
        Constants.nominatimEndpoint,
@ -350,7 +349,7 @@ async function generateCsp(
        "default-src": "'self'",
        "child-src": "'self' blob: ",
        "img-src": "* data:", // maplibre depends on 'data:' to load
-        "connect-src": "self "+connectSrc.join(" "),
+        "connect-src": "'self' "+connectSrc.join(" "),
        "report-to": "https://report.mapcomplete.org/csp",
        "worker-src": "'self' blob:", // Vite somehow loads the worker via a 'blob'
        "style-src": "'self' 'unsafe-inline'", // unsafe-inline is needed to change the default background pin colours