Remove worker:source blob CSP requirement (iframe sandbox allow-same-origin support)
#6056
Comments
1 task
ryanbaumann
changed the title
worker:source blob CSP requirementworker:source blob CSP requirement (iframe sandbox allow-same-origin support)
|
Since this is so closely related to #6058, let's centralize discussion there. |
20 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue:
Running Mapbox GL JS in a sandboxed iframe with only the
allow-scriptspermission blocks GL JS from running on IE11, Edge, and Safari browsers.EX:
<iframe src="https://www.mapbox.com/bites/00384" sandbox="allow-scripts"></iframe>Minimal test case:
https://bl.ocks.org/ryanbaumann/c28a57618ecd60d23f59d24d91d016fd
If the map in the example above does not load tiles in a browser, that means that the allow-same-origin sandbox permissions are required for the browser iframe sandbox. In IE11 and Edge, the example above does not load for me.
The root cause of the map not loading in the minimal example above using sandboxed iframes on IE11 and Edge seems to be due to fetching same-origin blob URL requests at web worker boot time:
Error messages loading the minimal example above:
On Edge:
On IE11:
Desired Solution
If a new build of GL JS that eliminates the
worker:src blobCSP, loading the test page above should work on IE11, Edge, and Safari.See #5939 for a potential solution.
The text was updated successfully, but these errors were encountered: