boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

fix: CSP and Permissions-Policy blocking GPS, geocoding, and map

Browse Source 
- Permissions-Policy: geolocation=(self) instead of geolocation=()
  (was blocking all geolocation access)
- connect-src: added nominatim.openstreetmap.org for reverse geocoding
- script-src: added unpkg.com for Leaflet JS
- style-src: added unpkg.com for Leaflet CSS
- img-src: added *.tile.openstreetmap.org for map tiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-23 13:44:50 +01:00
parent 2718a7b716
commit bb0bf25ce0
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/middleware/security.ts
View File

@@ -8,13 +8,20 @@ export async function securityHeaders(
reply.header('X-Content-Type-Options', 'nosniff');
reply.header('X-Frame-Options', 'DENY');
reply.header('Referrer-Policy', 'strict-origin-when-cross-origin');
reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
reply.header('Permissions-Policy', 'camera=(), microphone=(), geolocation=(self)');
if (config.isProduction) {
reply.header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
reply.header(
'Content-Security-Policy',
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'",
[
"default-src 'self'",
"script-src 'self' https://unpkg.com",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com",
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data: blob: https://*.tile.openstreetmap.org",
"connect-src 'self' https://nominatim.openstreetmap.org",
].join('; '),
);
}
}