Skip to content

Commit

Permalink
Add Google Maps urls to the CSP directives
Browse files Browse the repository at this point in the history
Update list of directives to include those supplied by Google to
prevent CSP warnings when using Google Maps.
Ensure that the CSP nonce is available in the page so that Google Maps
JS can use it. This eliminates CSP errors that occur when Google Maps
are included on a page, but the page does not have any other elements
that include the nonce. This change ensures the nonce appears
at least once on the page before the map component is displayed.
anvit committed Nov 21, 2023
1 parent 9bb130a commit c9ec8f8
Showing 3 changed files with 3 additions and 1 deletion.
2 changes: 1 addition & 1 deletion config/app.yml
Original file line number Diff line number Diff line change
@@ -67,4 +67,4 @@ all:
# 'Content-Security-Policy-Report-Only' or 'Content-Security-Policy'
response_header: Content-Security-Policy-Report-Only
# Configure CSP response directives.
directives: "default-src 'self'; font-src 'self'; img-src 'self' https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; script-src 'self' https://*.googletagmanager.com 'nonce'; style-src 'self' 'nonce'; worker-src 'self' blob:; connect-src https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com; frame-ancestors 'self';"
directives: "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data: https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; script-src 'self' https://*.googletagmanager.com 'nonce' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:; style-src 'self' 'nonce' https://fonts.googleapis.com; worker-src 'self' blob:; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:; frame-ancestors 'self';"
Original file line number Diff line number Diff line change
@@ -144,6 +144,7 @@

<div class="digital-object-metadata-body <?php echo render_b5_show_value_css_classes(); ?>">
<?php if ($showMasterFileGoogleMap) { ?>
<style <?php echo __(sfConfig::get('csp_nonce', '')); ?>></style>
<div class="p-1">
<div id="front-map" class="simple-map" data-key="<?php echo $googleMapsApiKey; ?>" data-latitude="<?php echo $latitude; ?>" data-longitude="<?php echo $longitude; ?>"></div>
</div>
Original file line number Diff line number Diff line change
@@ -81,6 +81,7 @@
<?php end_slot(); ?>

<?php if (isset($latitude, $longitude) && $mapApiKey = sfConfig::get('app_google_maps_api_key')) { ?>
<style <?php echo __(sfConfig::get('csp_nonce', '')); ?>></style>
<div class="p-1 border-bottom">
<div id="front-map" class="simple-map" data-key="<?php echo $mapApiKey; ?>" data-latitude="<?php echo $latitude; ?>" data-longitude="<?php echo $longitude; ?>"></div>
</div>

0 comments on commit c9ec8f8

Please sign in to comment.