Content Security Policy (CSP)

4 posts / 0 new
Last post
kougi
Content Security Policy (CSP)

Hello,

I'm working on a project for our company and we would like to use mapquest to show individual maps based on a GPS location. Unfortunately, we use a very strict CSP, which blocks everything but 'self', unless explicitly set in the CSP header.

Is there an "official" CSP by mapquest that I can use?

 

So far, I managed to gather the following URLs that need to be added to a CSP, but I am not sure if they are correct or complete:

 

connect-src
    https://mapconfig.mqcdn.com/mapconfig
    https://tileproxy.cloud.mapquest.com/attribution
    https://www.mapquestapi.com/logger/v1/transaction

font-src
    https://api.mqcdn.com

img-src
    https://a.tiles.mapbox.com
    https://b.tiles.mapbox.com
    https://c.tiles.mapbox.com
    https://d.tiles.mapbox.com

script-src
    https://api.mqcdn.com/sdk/mapquest-js/v1.3.0/mapquest.js

style-src
    https://api.mqcdn.com/sdk/mapquest-js/v1.3.0/
 

Any information would be appreciated.

Thank you!


MQBrianCoakley
There is no officially
There is no officially documented CSP. But it looks like you hit all of the bases for the base MapQuest.js with your list. If you use other functions within the SDK, like geocoding, routing, custom icons, etc, then you'll need to either add specific API URLs or include www.mapquestapi.com/* and assets.mapquestapi.com/icon/v2/.

kougi
Instead of making

Instead of making modifications to the CSP, is there a way to proxy everything via our own server? thus have our server forward all the requests back to mapquest?

btw, your captcha is rather annoying, I'm logged in and I have to constantly verify I am not a robot, which takes 10 minutes each time, clicking on silly images.

 


MQBrianCoakley
There's no easy way to do it
There's no easy way to do it through the SDK but if I come up with anything I'll let you know.