[openstreetmap/openstreetmap-website] Allow loading of map image tiles from other domains (Issue #3572)

Nickolas Gupton notifications at github.com
Wed Jun 15 15:59:05 UTC 2022 

### Description

When trying to load tiles from a custom tile server, the following CORS validation error is thrown on osm.org:

> Refused to load the image 'https://a.tile.openstreetmap.de/19/139398/209119.png' because it violates the following Content Security Policy directive: "img-src 'self' data: www.gravatar.com *.wp.com tile.openstreetmap.org *.tile.openstreetmap.org *.tile.thunderforest.com tileserver.memomaps.de *.openstreetmap.fr piwik.openstreetmap.org https://openstreetmap-user-avatars.s3.dualstack.eu-west-1.amazonaws.com https://openstreetmap-gps-images.s3.dualstack.eu-west-1.amazonaws.com".

I was able to trace this rule back to this line of this file:
https://github.com/openstreetmap/openstreetmap-website/blob/1612ea75c541016ff8c4312935e8bfc4462608c6/config/initializers/secure_headers.rb#L10

Images are unlikely to contain malicious content, and this rule reduces the functionality of the website by disallowing folks to use their own tile servers with osm.org. Would it be possible to allow images to load from custom tile servers here?

Found this Mozilla documentation for doing this in apache, not quite sure how this would translate to Rails but CORS does support this: https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image#web_server_configuration

Currently, I am using the [Switcheroo](https://github.com/ranjez/Switcheroo) extension to test this on behalf of SomeoneElse who brought this issue up in the OpenStreetMap World Discord server.

### Screenshots

![image](https://user-images.githubusercontent.com/5573038/173872533-9d4a68f8-7d31-4977-a9a9-b1f7c7152ec1.png)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3572
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/3572 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220615/3705b25a/attachment.htm>

More information about the rails-dev mailing list