Implement support for strict Content-Security-Policy (MapLibre usage)

[the-gabe]

Describe the problem

Hello, currently when using this library with a Content-Security-Policy policy, users are forced to use worker-src blob: which is inherently unsafe due to it being functionally equivalent to unsafe-eval. This is due to the usage of maplibre-gl. This would be generally seen as a pretty notable hole in a deployed Content-Security-Policy.

Describe the proposed solution

maplibre-gl has a CSP variant of it's JS bundle, per: https://maplibre.org/maplibre-gl-js/docs/#csp-directives It would be greatly appreciated if support for this was implemented, as then a much more fine grained and significantly less vulnerable Content-Security-Policy can be leveraged.

Alternatives considered

No response

Additional Information

No response

[the-gabe]

Please refer to https://w3c.github.io/webappsec-csp/#security-inherit-csp for additional details on this

[gavinr-maps]

@the-gabe thank you for logging this issue. Could you please explain what your requested solution to this would be? Would it be a separate Esri Leaflet release file that's built using maplibre-gl-csp.js?

[the-gabe]

@gavinr-maps Yes that would be a good route forward I believe

[the-gabe]

An alternate way of doing this could be just using this by default or shipping both in the dist file, and letting users with strict CSP needs configure it as they wish.

[patrickarlt]

@the-gabe I think I have a basic implementation of this in this branch https://github.com/Esri/esri-leaflet-vector/tree/csp-build

Since I don't have access to a strict CSP environment to test this in could you try too:

1. Pull down the branch, npm i and npm run build
2. Use the resulting dist/esri-leaflet-vector-csp.js and esri-leaflet-vector-csp-worker.js to see if they work.

There is an example in https://github.com/Esri/esri-leaflet-vector/blob/csp-build/examples/quickstart-csp.html#L39 showing how to set the URL to the worker.