Host-allowlist-based Content Security Policy currently required for the (self-hosted) MapML polyfill with a https://geogratis.gc.ca/mapml/en/cbmtile/cbmt/ layer source:

      
default-src
  'self';
style-src
  'self'
  'unsafe-hashes'
  'sha256-i+apkz/LmUo63uwfP1/iCMKtQhZhY1CBUGVKuovPL0c='
  'sha256-gWLDNLsycvRcRqEScFHdCYPrg1OzxzQBXX7qYFP1Ww0='
  'sha256-hi8iP7DNkrJOnysrsEtWbR1jYEBHvbWZWGAItl/iJuQ=';
connect-src
  'self'
  https://geogratis.gc.ca/mapml/;
img-src
  'self'
  data:
  https://geoappext.nrcan.gc.ca
  https://maps-cartes.services.geo.ca;
      
    

While developers are recommended to deploy a Strict CSP (e.g. a nonce-based policy) most developers deploying a CSP do not use nonces which means they'll need to use either 'unsafe-inline' (neither recommended nor desired) or the 'unsafe-hashes' source expression. The latter is safer but may require an extensive list of hash-sources, as this example illustrates.

Improvements can be made to the polyfill, for example, to remove the need for some (in best case all) style-src hash-sources by moving away from inline styles to CSS classes and HTML/SVG presentational attributes (i.e. hidden instead of style="display:none", or <path stroke="none"> instead of <path style="stroke:none">). And of course, by not introducing new inline styles or scripts.

A standard for Web maps may improve application security and make it easier for developers to deploy fine-grained CSPs in regards to maps: https://github.com/Maps4HTML/MapML/issues/133.