<p></p>
<h3 dir="auto">Description</h3>
<p dir="auto">When trying to load tiles from a custom tile server, the following CORS validation error is thrown on osm.org:</p>
<blockquote>
<p dir="auto">Refused to load the image '<a href="https://a.tile.openstreetmap.de/19/139398/209119.png" rel="nofollow">https://a.tile.openstreetmap.de/19/139398/209119.png</a>' because it violates the following Content Security Policy directive: "img-src 'self' data: <a href="http://www.gravatar.com" rel="nofollow">www.gravatar.com</a> *.wp.com tile.openstreetmap.org *.tile.openstreetmap.org *.tile.thunderforest.com tileserver.memomaps.de *.openstreetmap.fr piwik.openstreetmap.org <a href="https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com" rel="nofollow">https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com</a> <a href="https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com" rel="nofollow">https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com</a>".</p>
</blockquote>
<p dir="auto">I was able to trace this rule back to this line of this file:<br>
<a href="https://github.com/openstreetmap/openstreetmap-website/blob/1612ea75c541016ff8c4312935e8bfc4462608c6/config/initializers/secure_headers.rb#L10">https://github.com/openstreetmap/openstreetmap-website/blob/1612ea75c541016ff8c4312935e8bfc4462608c6/config/initializers/secure_headers.rb#L10</a></p>
<p dir="auto">Images are unlikely to contain malicious content, and this rule reduces the functionality of the website by disallowing folks to use their own tile servers with osm.org. Would it be possible to allow images to load from custom tile servers here?</p>
<p dir="auto">Found this Mozilla documentation for doing this in apache, not quite sure how this would translate to Rails but CORS does support this: <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image#web_server_configuration" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image#web_server_configuration</a></p>
<p dir="auto">Currently, I am using the <a href="https://github.com/ranjez/Switcheroo">Switcheroo</a> extension to test this on behalf of SomeoneElse who brought this issue up in the OpenStreetMap World Discord server.</p>
<h3 dir="auto">Screenshots</h3>
<p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://user-images.githubusercontent.com/5573038/173872533-9d4a68f8-7d31-4977-a9a9-b1f7c7152ec1.png"><img src="https://user-images.githubusercontent.com/5573038/173872533-9d4a68f8-7d31-4977-a9a9-b1f7c7152ec1.png" alt="image" style="max-width: 100%;"></a></p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/3572">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLNYERQCKNWSZODVQ6TVPH4UTANCNFSM5Y32RBYA">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLNBN5PMPYGLXWLS623VPH4UTA5CNFSM5Y32RBYKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4S6X5PPA.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/issues/3572</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/3572",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/3572",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>