<p></p>
<p>The current Content Security Policy HTTP header of <a href="https://www.openstreetmap.org/edit" rel="nofollow">https://www.openstreetmap.org/edit</a> (iD editor) prevents using the "download osmChange file" link in Firefox. The link is accessible when clicking on the "save" button. Clicking on the link currently triggers no change in the GUI but an error message in the browser console is logged:</p>
<pre><code>Content Security Policy: The page’s settings blocked the loading of a
resource at blob:https://www.openstreetmap.org/<uuid> ("frame-src").
</code></pre>
<p>The current CSP is:</p>
<pre><code>default-src 'self'; ... frame-src 'self'; ...
</code></pre>
<p>I propose that <code>blob:</code> should be added after <code>frame-src</code>.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/2582">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLIBGTRDIQPF7BWRXQTRLWQPFANCNFSM4MEUATZA">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAK2OLKRUUC2CVLEHZ27FZDRLWQPFA5CNFSM4MEUATZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4I4YMEOQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/2582",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/2582",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>