Support Content Security Policy (csp)

I already whitelisted the tile image domains, but more things seem to be broken.

may you better explain and detail your Problem/Motivation here?
Sorry, I don get anything of what your wrote down (t)here:

When using a , the map widget is broken. We'll need to whitelist the *.tile.openstreetmap.org domains and possibly rewrite some JS.

I'm sorry, looks like part of that sentence somehow got lost. I fixed it.

ok ... may be I now better understand this issue context.
Thanks ...
Could you better explain you exact use case, so that it might be easier to reproduce and also the issue you hit with that.

How do you generate that Content-Security-Policy HTTP header in your response?

Are you using this Drupal module: https://www.drupal.org/project/csp → ?
or whatever | whichever else technique?

Yes, like I mentioned in Proposed resolution:

Test the widget using a strict policy, determine what directives are necessary and add them to the page using the Content Security Policy module → , but only on pages where the widget is loaded.

&

@gapple I could use your input here. The MR works well as-is, but there’s one problem. I have an entity form without Leaflet widget, but it does contain a button that when clicked opens another edit form in a modal, which does have a Leaflet widget (using the Entity Browser module). The problem is that the CSP policy of the parent page does not have the necessary domain allowlisted, causing the widget to not load.

I don’t really see a way around this. Does this mean that I should allowlist the domains on any page, because any page could do an AJAX request to another page that could display the widget? In that case Drupal\csp\EventSubscriber\CoreCspSubscriber might also need to be updated.

Ok ... I went much better through all this,
and required & enabled the Content Security Policy module on my local instances of the following 2 (Leaflet powered) websites:

https://www.geodemocracy.com/drupal_geofield_stack_demo/web/geoplaces-ma... (Official Leaflet Module Live Demo)
https://www.taranto-viva.com/it

Yes indeed, all the Leaflet maps break 8and not only the Leaflet widgets maps), with a long list of errors/warnings in the inspector console ... etc.

But also the MR !31 Draft doesn't help on this ... and all still looks broken.
It looks that is trying to cope some very specific use case and Leaflet context, that means if the Open Street Map Tile (default in the module) is used ... and for the widgets.

But it looks that also Leaflet Formatters and Leaflet View Styles are breaking ... isn't it?
And e should consider that in most cases users will implement different Leaflet Map background tiles ... (from Open Street).

May be I didn't get the proper issue case (as I am not fully understanding all the CPS options and functionalities, etc)
BUT I don't think/feel the correct use of the CSP should be restored with whitelisting with additional code in the Leaflet module,
but rather with specific whitelisting in the CSP module settings, or eventually in custom modules by users implementing it ...

What could be a general fix in this Leaflet module instead, eventually? (that could solidly cope all the possible Leaflet Map Tiles implementations?)

In my project I'm only using the default OpenSteetMap tiles. I know that's probably not enough, that's why I marked the MR as draft. You're right, people can allowlist domains themselves in configuration, but I do see value in automatically allowlisting certain domains where possible.

Ok ...
so, do you really want to keep this open, with "needs work"?
I don't think this can cope in code every possible user use cases (and custom Leaflet Map Info definitions),
and that can end up into the Leaflet module code base.

Could we rather close as "Closed (works as designed)"?