EPICSYSTEM-85 Updated CSP and reference method for MAP_STYLE json (#70)

met-web/nginx/nginx.dev.conf

@@ -44,9 +44,9 @@ http {
     default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval';
     script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
     worker-src 'self' blob:;
-    img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
+    img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca https://*.tile.openstreetmap.org;
     style-src 'self' 'unsafe-inline';
-    connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-web-dev.apps.gold.devops.gov.bc.ca https://met-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com;
+    connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-web-dev.apps.gold.devops.gov.bc.ca https://met-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com https://*.tile.openstreetmap.org;
     frame-src 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://epic-engage-web-dev.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca https://met-analytics-dev.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
     frame-ancestors 'self' https://met-oidc-dev.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-dev.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

met-web/nginx/nginx.prod.conf

@@ -44,9 +44,9 @@ http {
       default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval';
       script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
       worker-src 'self' blob:;
-      img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
+      img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca https://*.tile.openstreetmap.org;
       style-src 'self' 'unsafe-inline';
-      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-prod.apps.gold.devops.gov.bc.ca https://epic-engage-web-prod.apps.gold.devops.gov.bc.ca https://met-analytics-api-prod.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-prod.apps.gold.devops.gov.bc.ca https://met-oidc.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com;
+      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-analytics-api-prod.apps.gold.devops.gov.bc.ca https://epic-engage-web-prod.apps.gold.devops.gov.bc.ca https://met-analytics-api-prod.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-prod.apps.gold.devops.gov.bc.ca https://met-oidc.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com https://*.tile.openstreetmap.org;
       frame-src 'self' https://met-oidc.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-prod.apps.gold.devops.gov.bc.ca https://epic-engage-web-prod.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-prod.apps.gold.devops.gov.bc.ca https://met-analytics-prod.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
       frame-ancestors 'self' https://met-oidc.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-prod.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

met-web/nginx/nginx.test.conf

@@ -44,9 +44,9 @@ http {
       default-src 'self' https://kit.fontawesome.com https://ka-f.fontawesome.com data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; 
       script-src 'self' 'sha256-JXGej4mPACbE/fP5kuunldJEyMk62sNjNe85DtAcMoU=' https://kit.fontawesome.com https://ka-f.fontawesome.com https://www2.gov.bc.ca https://cdn.form.io https://api.mapbox.com https://www.youtube.com https://player.vimeo.com 'unsafe-eval';
       worker-src 'self' blob:;
-      img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca;
+      img-src 'self' data: blob: https://citz-gdx.objectstore.gov.bc.ca https://*.tile.openstreetmap.org;
       style-src 'self' 'unsafe-inline';
-      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-web-test.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://met-analytics-api-test.apps.gold.devops.gov.bc.ca https://met-oidc-test.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com;
+      connect-src 'self' https://spt.apps.gov.bc.ca/com.snowplowanalytics.snowplow/tp2 https://epic-engage-web-test.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://met-analytics-api-test.apps.gold.devops.gov.bc.ca https://met-oidc-test.apps.gold.devops.gov.bc.ca https://kit.fontawesome.com https://ka-f.fontawesome.com https://citz-gdx.objectstore.gov.bc.ca https://api.mapbox.com https://governmentofbc.maps.arcgis.com https://tiles.arcgis.com https://www.arcgis.com https://vimeo.com https://*.tile.openstreetmap.org https://*.tile.openstreetmap.org;
       frame-src 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-web-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-analytics-api-test.apps.gold.devops.gov.bc.ca https://met-analytics-test.apps.gold.devops.gov.bc.ca https://www.youtube.com https://player.vimeo.com;
       frame-ancestors 'self' https://met-oidc-test.apps.gold.devops.gov.bc.ca https://epic-engage-oidc-test.apps.gold.devops.gov.bc.ca";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

met-web/src/components/map/index.tsx

@@ -42,7 +42,7 @@ const lineStyle: AnyLayer = {
         'line-color': `${Palette.primary.main}`,
     },
 };
-export const MAP_STYLE = process.env.PUBLIC_URL + '/basic-map.json';
+export const MAP_STYLE = window.location.origin + '/basic-map.json';
 
 const MetMap = ({ geojson, latitude, longitude, markerLabel, zoom }: MapProps) => {
     return (