From 4ddc89f710dfa5a91879dafc145f8c2ea601905e Mon Sep 17 00:00:00 2001
From: mitoperni <mitoperni@gmail.com>
Date: Mon, 9 Feb 2026 18:49:57 +0100
Subject: [PATCH] fix: document unsafe-* CSP directives with justification
 comments

---
 next.config.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/next.config.ts b/next.config.ts
index b809006..ccbbd28 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -31,7 +31,15 @@ const nextConfig: NextConfig = {
             key: 'Content-Security-Policy',
             value: [
               "default-src 'self'",
+              // unsafe-eval: Required by Mapbox GL JS - uses new Function() internally
+              // to compile style expressions (filters, conditional colors).
+              // Without it, the map fails to render. See: https://github.com/mapbox/mapbox-gl-js/issues/3773
+              // unsafe-inline: Required by Next.js for hydration bootstrap scripts
+              // and JSON-LD scripts using dangerouslySetInnerHTML.
+              // Alternative: nonce-based approach via middleware (adds complexity).
               "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://vercel.live",
+              // unsafe-inline: Required by Mapbox GL JS - injects inline styles
+              // to position map elements (markers, popups, controls).
               "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://vercel.live",
               "img-src 'self' data: blob: https://api.mapbox.com https://tiles.mapbox.com https://vercel.live https://vercel.com",
               "font-src 'self' https://vercel.live https://assets.vercel.com",