Blobs and CSP

[Rich-Harris]

We're preparing to move theguardian.com over to HTTPS, and with it we're adding various CSP directives. One side-effect of this change is that Mapbox GL maps will no longer work because our CSP rules don't currently include blob:, which Mapbox GL apparently requires.

Reproduction using most recent version:

• https://mapbox-csp-demo-lxfynqvvvz.now.sh/?allow-blob=false
• https://mapbox-csp-demo-lxfynqvvvz.now.sh/?allow-blob=true (includes blob: in CSP header)

Here's the error that appears:

One way to solve this would obviously be to loosen the CSP rules. This makes our security folks a bit nervous as it apparently allows web workers to get around same-origin restrictions (apparently we've seen something similar in the wild, in ad code).

I'm wondering therefore if there's a way to use Mapbox GL without blobs (or indeed if it's possible to detect that blobs violate the current CSP environment)? Thanks.

CC @mchv

[tmcw]

Hey Rich!

Thanks for opening this issue, and yep, it's definitely a problem. We've got an existing report of this problem open in the issue #559, so I'm going to close this one to consolidate the conversation.

To paraphrase the existing ticket: we use the blob: construct to create our web workers. We could potentially dodge this - use file-based web workers, but we don't have a clear way to do this while also keeping mapbox-gl-js compatible with bundlers like browserify & webpack which generate single-file bundles including this software. If there's a way around that limitation or even with an extra step but preserving the default behavior for everyone else, we'd be game for including it.

• Tom