erp5_web_renderjs_ui: update CSP to allow loading data from openstreetmap

78119249 · Sven Franck · Sebastien Robin · 85c87bc6 · 78119249 · 78119249
Commit 78119249 authored Aug 26, 2014 by Sven Franck Committed by Sebastien Robin Sep 03, 2014
2 changed files
--- a/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsGadget.xml
+++ b/bt5/erp5_web_renderjs_ui/SkinTemplateItem/portal_skins/erp5_web_renderjs_ui/WebPage_viewAsGadget.xml
@@ -68,7 +68,9 @@ response.setHeader("X-Frame-Options", "SAMEORIGIN")\n
 response.setHeader("X-Content-Type-Options", "nosniff")\n
 \n
 # Only fetch code (html, js, css, image) and data from this ERP5, to prevent any data leak as the web site do not control the gadget\'s code\n
-response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\'; connect-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:")\n
+# XXX: allow openstreetmap\n
+# response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' data:; media-src \'self\'; connect-src \'self\'; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:")\n
+response.setHeader("Content-Security-Policy", "default-src \'none\'; img-src \'self\' https://a.tile.openstreetmap.org https://b.tile.openstreetmap.org https://c.tile.openstreetmap.org data:; media-src \'self\'; connect-src \'self\' https://nominatim.openstreetmap.org ; script-src \'self\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\' data:; frame-src \'self\' data:")\n
 \n
 \n
 response.setHeader(\'Content-Type\', \'text/html\')\n

--- a/bt5/erp5_web_renderjs_ui/bt/revision
+++ b/bt5/erp5_web_renderjs_ui/bt/revision
-59
\ No newline at end of file
+60
\ No newline at end of file