Host-allowlist-based Content Security Policy currently required for the (self-hosted) MapML polyfill with a https://geogratis.gc.ca/mapml/en/cbmtile/cbmt/ layer source:

      
default-src
  'self';
style-src
  'self'
  'unsafe-hashes'
  'sha256-rTznJl3tizDpoKt9XtMnDqQHkh5Nl013JQ61AgrUvBA='
  'sha256-gWLDNLsycvRcRqEScFHdCYPrg1OzxzQBXX7qYFP1Ww0='
  'sha256-Yh21waoKFkXvfiGbkUMgTtK+WLTXPHnfAmHjd5VEOzs='
  'sha256-nkSWviGEMA7GjEhvFalgIvhPJjztTxRSIg8+OvMVZnE='
  'sha256-3rDMFlo5l2Wqdmy4qKaKncvyyzyt1OcMx8YhZIMhreY='
  'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='
  'sha256-cm3nF/pkNcraBBRi3V0OubmNx+lry2FBHHG4nRBfAug=';
connect-src
  'self'
  https://geogratis.gc.ca/mapml/;
img-src
  'self'
  data:
  https://geoappext.nrcan.gc.ca;
      
    

While developers are recommended to deploy a Strict CSP (e.g. a nonce-based policy) most developers deploying a CSP do not use nonces which means they'll need to use either 'unsafe-inline' (neither recommended nor desired) or the 'unsafe-hashes' source expression. The latter is safer but may require an extensive list of hash-sources, as this example illustrates.

Improvements can be made to the polyfill, for example, to remove the need for some (in best case all) style-src hash-sources by moving away from inline styles to CSS classes and HTML/SVG presentational attributes (i.e. hidden instead of style="display:none", or <path stroke="none"> instead of <path style="stroke:none">). And of course, by not introducing new inline styles or scripts.

A standard for Web maps may improve application security and make it easier for developers to deploy fine-grained CSPs in regards to maps: https://github.com/Maps4HTML/MapML/issues/133.