Merge pull request #3872 from kobotoolbox/csp-maps

Default CSP img src should include domains used for mapping
kobotoolbox · Jun 15, 2022 · e482325 · e482325
2 parents ec340ca + 52b2428
commit e482325
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/kobo/settings/base.py b/kobo/settings/base.py
@@ -526,7 +526,12 @@ def __init__(self, *args, **kwargs):
 CSP_SCRIPT_SRC = CSP_DEFAULT_SRC + ["'unsafe-inline'"]
 CSP_STYLE_SRC = CSP_DEFAULT_SRC + ["'unsafe-inline'", '*.bootstrapcdn.com']
 CSP_FONT_SRC = CSP_DEFAULT_SRC + ['*.bootstrapcdn.com']
-CSP_IMG_SRC = CSP_DEFAULT_SRC + ['data:']
+CSP_IMG_SRC = CSP_DEFAULT_SRC + [
+    'data:',
+    'https://*.openstreetmap.org',
+    'https://*.opentopomap.org',
+    'https://*.arcgisonline.com'
+]
 
 if GOOGLE_ANALYTICS_TOKEN:
     google_domain = '*.google-analytics.com'