Host-allowlist-based Content Security Policy currently required for the (self-hosted) MapML polyfill with a layer source:


While developers are recommended to deploy a Strict CSP (e.g. a nonce-based policy) most developers deploying a CSP do not use nonces which means they'll need to use either 'unsafe-inline' (neither recommended nor desired) or the 'unsafe-hashes' source expression. The latter is safer but may require an extensive list of hash-sources, as this example illustrates.

Improvements can be made to the polyfill, for example, to remove the need for some (in best case all) style-src hash-sources by moving away from inline styles to CSS classes and HTML/SVG presentational attributes (i.e. hidden instead of style="display:none", or <path stroke="none"> instead of <path style="stroke:none">). And of course, by not introducing new inline styles or scripts.

A standard for Web maps may improve application security and make it easier for developers to deploy fine-grained CSPs in regards to maps: