CSP: Add `worker-src blob:` to the allow-list.

It appears to be required for GeoTIFF/WebGL on Chrome.
author: Guilhem Moulin <guilhem@fripost.org> 2025-06-09 01:58:33 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2025-06-09 13:49:03 +0200
commit: a477e5bdcc9f03b046a357b92b9487b8c4de23cd (patch)
tree: 9063efdf56a967f1489c0632143c336037413f3a /files/etc/nginx/sites-available
parent: c1a547aee3040a5ec298c174577b75cf78170f60 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index 4aef1cc..f89f5e0 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -113,7 +113,7 @@ server {
         add_header X-Content-Type-Options "nosniff";
         add_header X-XSS-Protection "1; mode=block";
         add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";
+        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; worker-src blob:; base-uri 'self'";
 
         try_files $uri $uri/ =404;
     }
author	Guilhem Moulin <guilhem@fripost.org>	2025-06-09 01:58:33 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2025-06-09 13:49:03 +0200
commit	a477e5bdcc9f03b046a357b92b9487b8c4de23cd (patch)
tree	9063efdf56a967f1489c0632143c336037413f3a /files/etc/nginx/sites-available
parent	c1a547aee3040a5ec298c174577b75cf78170f60 (diff)