From bb0bf25ce03b8844836c7e9db68ab58c5bcb096a Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 13:44:50 +0100
Subject: [PATCH] fix: CSP and Permissions-Policy blocking GPS, geocoding, and
 map

- Permissions-Policy: geolocation=(self) instead of geolocation=()
  (was blocking all geolocation access)
- connect-src: added nominatim.openstreetmap.org for reverse geocoding
- script-src: added unpkg.com for Leaflet JS
- style-src: added unpkg.com for Leaflet CSS
- img-src: added *.tile.openstreetmap.org for map tiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/middleware/security.ts | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/middleware/security.ts b/src/middleware/security.ts
index 3810492..5c8860f 100644
--- a/src/middleware/security.ts
+++ b/src/middleware/security.ts
@@ -8,13 +8,20 @@ export async function securityHeaders(
   reply.header('X-Content-Type-Options', 'nosniff');
   reply.header('X-Frame-Options', 'DENY');
   reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
-  reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+  reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=(self)');
 
   if (config.isProduction) {
     reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
     reply.header(
       'Content-Security-Policy',
-      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'",
+      [
+        "default-src 'self'",
+        "script-src 'self' https://unpkg.com",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com",
+        "font-src 'self' https://fonts.gstatic.com",
+        "img-src 'self' data: blob: https://*.tile.openstreetmap.org",
+        "connect-src 'self' https://nominatim.openstreetmap.org",
+      ].join('; '),
     );
   }
 }