Restrict map tile url to https protocol

MoonE · MoonE · commit 3ef2de4072e1 · 2026-03-08T02:10:41.000+01:00
Signed-off-by: Maximilian Krög &lt;maxi_kroeg@web.de&gt;
diff --git a/src/Header.php b/src/Header.php
@@ -419,7 +419,7 @@ public function getPageTitle(): string
     /** Get the Content-Security-Policy header */
     private function getCspHeader(): string
     {
-        $mapTileUrl = ' tile.openstreetmap.org';
+        $mapTileUrl = ' https://tile.openstreetmap.org';
         $cspAllow = $this->config->config->CSPAllow === '' ? '' : ' ' . $this->config->config->CSPAllow;
         $captchaUrl =
             $this->config->config->CaptchaLoginPrivateKey === '' ||
diff --git a/tests/unit/HeaderTest.php b/tests/unit/HeaderTest.php
@@ -226,7 +226,7 @@ public static function providerForTestGetHttpHeaders(): array
                 '',
                 '',
                 "default-src 'self';"
-                    . " img-src 'self' data: tile.openstreetmap.org;"
+                    . " img-src 'self' data: https://tile.openstreetmap.org;"
                     . " object-src 'none';"
                     . " script-src 'self' 'unsafe-inline' 'unsafe-eval';"
                     . " style-src 'self' 'unsafe-inline';"
@@ -239,7 +239,7 @@ public static function providerForTestGetHttpHeaders(): array
                 'PublicKey',
                 'captcha.tld csp.tld',
                 "default-src 'self' captcha.tld csp.tld example.com example.net;"
-                    . " img-src 'self' data: captcha.tld csp.tld example.com example.net tile.openstreetmap.org;"
+                    . " img-src 'self' data: captcha.tld csp.tld example.com example.net https://tile.openstreetmap.org;"
                     . " object-src 'none';"
                     . " script-src 'self' 'unsafe-inline' 'unsafe-eval' captcha.tld csp.tld example.com example.net;"
                     . " style-src 'self' 'unsafe-inline' captcha.tld csp.tld example.com example.net;"
@@ -252,7 +252,7 @@ public static function providerForTestGetHttpHeaders(): array
                 'PublicKey',
                 'captcha.tld csp.tld',
                 "default-src 'self' captcha.tld csp.tld;"
-                    . " img-src 'self' data: captcha.tld csp.tld tile.openstreetmap.org;"
+                    . " img-src 'self' data: captcha.tld csp.tld https://tile.openstreetmap.org;"
                     . " object-src 'none';"
                     . " script-src 'self' 'unsafe-inline' 'unsafe-eval' captcha.tld csp.tld;"
                     . " style-src 'self' 'unsafe-inline' captcha.tld csp.tld;",

Original file line number	Diff line number	Diff line change
`@@ -419,7 +419,7 @@ public function getPageTitle(): string`
`419`	`419`	`/** Get the Content-Security-Policy header */`
`420`	`420`	`private function getCspHeader(): string`
`421`	`421`	`{`
`422`		`- $mapTileUrl = ' tile.openstreetmap.org';`
	`422`	`+ $mapTileUrl = ' https://tile.openstreetmap.org';`
`423`	`423`	`$cspAllow = $this->config->config->CSPAllow === '' ? '' : ' ' . $this->config->config->CSPAllow;`
`424`	`424`	`$captchaUrl =`
`425`	`425`	`$this->config->config->CaptchaLoginPrivateKey === '' \|\|`