I have a map page on my site that allows users to create Leaflet WMS layers on the map. It should be possible to create a WMS map layer from any valid WMS URL.
Currently, this is violating my Content Security Policy, because my img-src there only allows 'self', data:, and a few specific domains required for other pages on my site.
Is there any way to fix this other than just whitelisting https: in img-src? I don't want to loosen the CSP that much, site-wide, when this is only actually needed for the very specific case of Leaflet creating WMS layers.
(I already have a nonce in my script-src policy and I apply the nonce to scripts, which in effect whitelists scripts on an individual basis. I wish there were something similar that could be done for the image requests that Leaflet is making here - e.g., when I call L.tileLayer.wms(url, options), rubber-stamp it to say "any image requests that come out of this are OK".)