Merge pull request #2503 from visualize-admin/fix/maptiler-csp

fix: Embed CSP

Author: bprusinowski

CHANGELOG.md

@@ -11,7 +11,8 @@ You can also check the
 
 ## Unreleased
 
-Nothing yet.
+- Fixes
+  - Fixed CSP for the embed page
 
 ### 6.2.4 - 2025-11-28
 

app/next.config.js

@@ -68,7 +68,7 @@ module.exports = withPreconstruct(
               } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
               `script-src 'self' 'unsafe-inline'${
                 process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""
-              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com https://api.mapbox.com`,
+              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com https://api.mapbox.com https://api.maptiler.com`,
               `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net`,
               `font-src 'self'`,
               `form-action 'self'`,
@@ -78,8 +78,8 @@ module.exports = withPreconstruct(
 
               // * to allow loading legend images from custom WMS / WMTS endpoints and data: to allow downloading images
               `img-src 'self' * data: blob:`,
-              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
-              `worker-src 'self' blob: https://*.admin.ch`,
+              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
+              `worker-src 'self' blob: https://*.admin.ch https://*.vercel.app`,
             ].join("; "),
           });
         }

app/pages/embed/[chartId].tsx

@@ -66,7 +66,17 @@ const EmbedPage = (props: PageProps) => {
       <Head>
         <meta
           httpEquiv="Content-Security-Policy"
-          content="default-src 'self' 'unsafe-inline' data:; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline';"
+          content={[
+            `default-src 'self' 'unsafe-inline' data: https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+            `script-src 'unsafe-inline' 'unsafe-eval' 'self' https://api.mapbox.com https://api.maptiler.com https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+            `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net`,
+            `font-src 'self'`,
+            `form-action 'self'`,
+            `connect-src 'self' *`,
+            `img-src 'self' * data: blob:`,
+            `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
+            `worker-src 'self' blob: https://*.admin.ch https://*.vercel.app`,
+          ].join("; ")}
         />
       </Head>
       <ConfiguratorStateProvider