Problem/Motivation

When using a strict Content Security Policy (default-src 'self';, nothing else), the map widget is broken. We'll need to whitelist the *.tile.openstreetmap.org domains and possibly rewrite some JS.

Proposed resolution

Test the widget using a strict policy, determine what directives are necessary and add them to the page using the Content Security Policy module, but only on pages where the widget is loaded.

Issue fork leaflet-3409506

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

DieterHolvoet created an issue. See original summary.

DieterHolvoet opened merge request !31

dieterholvoet’s picture

dieterholvoet commented
Status: Active » Needs work

I already whitelisted the tile image domains, but more things seem to be broken.

itamair’s picture

itamair commented
Status: Needs work » Postponed (maintainer needs more info)

may you better explain and detail your Problem/Motivation here?
Sorry, I don get anything of what your wrote down (t)here:

When using a , the map widget is broken. We'll need to whitelist the *.tile.openstreetmap.org domains and possibly rewrite some JS.

dieterholvoet’s picture

dieterholvoet commented
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Needs work

I'm sorry, looks like part of that sentence somehow got lost. I fixed it.

dieterholvoet’s picture

dieterholvoet commented
Issue summary: View changes
itamair’s picture

itamair commented

ok ... may be I now better understand this issue context.
Thanks ...
Could you better explain you exact use case, so that it might be easier to reproduce and also the issue you hit with that.

How do you generate that Content-Security-Policy HTTP header in your response?

Are you using this Drupal module: https://www.drupal.org/project/csp ?
or whatever | whichever else technique?

dieterholvoet’s picture

dieterholvoet commented

Yes, like I mentioned in Proposed resolution:

Test the widget using a strict policy, determine what directives are necessary and add them to the page using the Content Security Policy module, but only on pages where the widget is loaded.

For now I don't have any more time to work on this, but I'll get back to this later.

dieterholvoet’s picture

dieterholvoet commented

@gapple I could use your input here. The MR works well as-is, but there’s one problem. I have an entity form without Leaflet widget, but it does contain a button that when clicked opens another edit form in a modal, which does have a Leaflet widget (using the Entity Browser module). The problem is that the CSP policy of the parent page does not have the necessary domain allowlisted, causing the widget to not load.

I don’t really see a way around this. Does this mean that I should allowlist the domains on any page, because any page could do an AJAX request to another page that could display the widget? In that case Drupal\csp\EventSubscriber\CoreCspSubscriber might also need to be updated.

itamair’s picture

itamair commented

Ok ... I went much better through all this,
and required & enabled the Content Security Policy module on my local instances of the following 2 (Leaflet powered) websites:

Official Leaflet Module Live Demo: https://www.geodemocracy.com/drupal_geofield_stack_demo/web/geoplaces-ma...
Advanced Drupal Leaflet website: https://www.taranto-viva.com/it

Yes indeed, all the Leaflet maps break (and not only the Leaflet widgets maps), with a long list of errors/warnings in the inspector console ... etc.

But also the MR !31 Draft doesn't help on this (at the moment) ... and all still looks broken.
It looks that is trying to cope some very specific use case and Leaflet context, that means if the Open Street Map Tile (default in the module) is used ... and for the widgets.

But it looks that also Leaflet Formatters and Leaflet View Styles are breaking ... isn't it?
And e should consider that in most cases users will implement different Leaflet Map background tiles ... (from Open Street).

May be I didn't get the proper issue case (as I am not fully understanding all the CPS options and functionalities, etc)
BUT I don't think/feel the correct use of the CSP should be restored with whitelisting with additional code in the Leaflet module,
but rather with specific whitelisting in the CSP module settings, or eventually in custom modules by users implementing it ...

What could be a general fix in this Leaflet module instead, eventually? (that could solidly cope all the possible Leaflet Map Tiles implementations?)

dieterholvoet’s picture

dieterholvoet commented

In my project I'm only using the default OpenSteetMap tiles. I know that's probably not enough, that's why I marked the MR as draft. You're right, people can allowlist domains themselves in configuration, but I do see value in automatically allowlisting certain domains where possible.

itamair’s picture

itamair commented

Ok ...
so, do you really want to keep this open, with "needs work"?
I don't think this can cope in code every possible user use cases (and custom Leaflet Map Info definitions),
and that can end up into the Leaflet module code base.

Could we rather close this as "Closed (works as designed)"?
You could still improve your draft MR eventually ...
(or please close it, you don't intend to)

dieterholvoet’s picture

dieterholvoet commented
Status: Needs work » Closed (won't fix)