leaflet-plugins icon indicating copy to clipboard operation
leaflet-plugins copied to clipboard
verified publisher icon shramov

Use fetch() instead of adding <script> tag for better Content-Security-Policy.

Open rgroenewoudt opened this issue 2 years ago • 2 comments

The Bing layer loads JSON from dev.virtualearth.net. This is done by adding a

This PR changes it to a fetch() which loads JSON and thus only requires adding the domain to safer connect-src in the Content-Security-Policy.

rgroenewoudt avatar Jun 15 '23 09:06 rgroenewoudt

But we should also consider compatibility: https://caniuse.com/fetch Is it time to say goodbye to IE and old Android?

johnd0e avatar Jun 15 '23 20:06 johnd0e

As this is a very simple usage of fetch(), a polyfill like https://github.com/github/fetch will work for backwards compatibility with old browsers.

rgroenewoudt avatar Jun 16 '23 07:06 rgroenewoudt