From c732de602888de70530b2f3f23024776e808a22b Mon Sep 17 00:00:00 2001
From: Bartosz Prusinowski <bartosz@interactivethings.com>
Date: Tue, 2 Dec 2025 10:58:57 +0100
Subject: [PATCH 1/4] chore: Add Maptiler to CSP

---
 app/next.config.js            | 2 +-
 app/pages/embed/[chartId].tsx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/next.config.js b/app/next.config.js
index f80407ed3..632e90c51 100644
--- a/app/next.config.js
+++ b/app/next.config.js
@@ -68,7 +68,7 @@ module.exports = withPreconstruct(
               } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
               `script-src 'self' 'unsafe-inline'${
                 process.env.NODE_ENV === "development" ? " 'unsafe-eval'" : ""
-              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com https://api.mapbox.com`,
+              } https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com https://api.mapbox.com https://api.maptiler.com`,
               `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net`,
               `font-src 'self'`,
               `form-action 'self'`,
diff --git a/app/pages/embed/[chartId].tsx b/app/pages/embed/[chartId].tsx
index b3901c2e0..5434492de 100644
--- a/app/pages/embed/[chartId].tsx
+++ b/app/pages/embed/[chartId].tsx
@@ -66,7 +66,7 @@ const EmbedPage = (props: PageProps) => {
       <Head>
         <meta
           httpEquiv="Content-Security-Policy"
-          content="default-src 'self' 'unsafe-inline' data:; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'self' 'unsafe-inline';"
+          content="default-src 'self' 'unsafe-inline' data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://api.mapbox.com https://api.maptiler.com; style-src 'self' 'unsafe-inline';"
         />
       </Head>
       <ConfiguratorStateProvider

From de4ff382e86b13deba29d677cf3c5fc402226976 Mon Sep 17 00:00:00 2001
From: Bartosz Prusinowski <bartosz@interactivethings.com>
Date: Tue, 2 Dec 2025 11:14:53 +0100
Subject: [PATCH 2/4] fix: Add .vercel.app to CSP

---
 app/next.config.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/next.config.js b/app/next.config.js
index 632e90c51..a3695ac3d 100644
--- a/app/next.config.js
+++ b/app/next.config.js
@@ -78,8 +78,8 @@ module.exports = withPreconstruct(
 
               // * to allow loading legend images from custom WMS / WMTS endpoints and data: to allow downloading images
               `img-src 'self' * data: blob:`,
-              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
-              `worker-src 'self' blob: https://*.admin.ch`,
+              `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
+              `worker-src 'self' blob: https://*.admin.ch https://*.vercel.app`,
             ].join("; "),
           });
         }

From bbbef5e9dd3dc61a068ce38a1800ad45f24e6aa7 Mon Sep 17 00:00:00 2001
From: Bartosz Prusinowski <bartosz@interactivethings.com>
Date: Tue, 2 Dec 2025 11:25:26 +0100
Subject: [PATCH 3/4] fix: Embed CSP

---
 app/pages/embed/[chartId].tsx | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/pages/embed/[chartId].tsx b/app/pages/embed/[chartId].tsx
index 5434492de..3deefefa7 100644
--- a/app/pages/embed/[chartId].tsx
+++ b/app/pages/embed/[chartId].tsx
@@ -66,7 +66,17 @@ const EmbedPage = (props: PageProps) => {
       <Head>
         <meta
           httpEquiv="Content-Security-Policy"
-          content="default-src 'self' 'unsafe-inline' data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://api.mapbox.com https://api.maptiler.com; style-src 'self' 'unsafe-inline';"
+          content={[
+            `default-src 'self' 'unsafe-inline' data: https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+            `script-src 'unsafe-inline' 'unsafe-eval' 'self' https://api.mapbox.com https://api.maptiler.com https://*.sentry.io https://vercel.live/ https://vercel.com https://*.googletagmanager.com`,
+            `style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net`,
+            `font-src 'self'`,
+            `form-action 'self'`,
+            `connect-src 'self' *`,
+            `img-src 'self' * data: blob:`,
+            `script-src-elem 'self' 'unsafe-inline' https://*.admin.ch https://visualize.admin.ch https://*.visualize.admin.ch https://vercel.live https://vercel.com https://*.vercel.app https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://api.mapbox.com https://cdn.jsdelivr.net`,
+            `worker-src 'self' blob: https://*.admin.ch https://*.vercel.app`,
+          ].join("; ")}
         />
       </Head>
       <ConfiguratorStateProvider

From 9e976da5d0a20dbbf2cdc2f81bbb9ecba50431c1 Mon Sep 17 00:00:00 2001
From: Bartosz Prusinowski <bartosz@interactivethings.com>
Date: Tue, 2 Dec 2025 11:36:06 +0100
Subject: [PATCH 4/4] docs: Update CHANGELOG

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c07ec0b27..a99a8f16e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,8 @@ You can also check the
 
 ## Unreleased
 
-Nothing yet.
+- Fixes
+  - Fixed CSP for the embed page
 
 ### 6.2.4 - 2025-11-28