ropenstreetmapcontent-security-policy

Content Security Policy for OpenStreetMap


The following creates one file index.html and one folder index_files. Loaded locally, index.html looks and behaves as expected (zooms, pans etc...).

library(OpenStreetMap)
library(htmlwidgets)
m <- leaflet()
m <- addTiles(m) %>% addProviderTiles(provider=providers$OpenStreetMap)
saveWidget(m, file="index.html",selfcontained = FALSE)

Once I upload to the server, the only way I've been able to view/interact with the map was by installing a Chrome extension that disables CSP.

My question is what should the CSP string look like in this case? I've iterated quite a bit on this, what the current setting I'm using is:

   img-src 'self'
      openlayers.org 
      tile.openstreetmap.org 
      a.tile.openstreetmap.org 
      b.tile.openstreetmap.org 
      c.tile.openstreetmap.org
      unpkg.com;
   script-src 'self' 'unsafe-eval' openlayers.org;
   style-src 'self' 'unsafe-inline' 'unsafe-eval' openlayers.org;

I started out being served a blank page, and now I do see the outline of the individual tiles, and how they change when I zoom in & out.

The errors I get are by inspecting the page content. The network tab indicates that all elements but the images are loaded / not blocked. The pngs are blocked with the following error:

Refused to load the image 'https://a.tile.openstreetmap.org/0/0/0.png' because it violates the following Content Security Policy directive: "img-src 'self'".

Seems I'm close the the mark - what is missing?


Solution

  • The most likely explanation is that there is an existing CSP that sets "img-src 'self'". Adding another CSP can only make it stricter. As it doesn't seem like you set "img-src 'self'", you can likely find this in the response headers of the document (the one with content-type text/html). You will need to figure out how it is set and modify/remove it. It can be set in code, in a framework, in a webserver or a proxy.