Wildcards as subdomains in allowlists

Is it allowed for extensions to have URL’s in their allowlists with wildcard “*” as their subdomains ?

I would like to use Leaflet maps with Google Maps tiles and OpenStreetMap tiles. These tile providers serve their tiles as “png”'s on different subdomains. For one of my earlier extensions, I had tried to include all available subdomains for Google’s tile URLs (https://mt1.google.com/, https://mt2.google.com/, etc.) in the image domain allowlist, which was rejected because they “allow shared hosting and do not meet the requirements that have been set for acceptable domain allowlisting”, which isn’t a clear explanation of rejection.

Is there a clear explanation of what these exact requirements are for the allowlisted URLs ? It is really not ideal to wait weeks to see if a URL is useable and get an extension review rejection.

Would using wildcards solve such issue ?

For example would the following domains meet the “requirements” ?

  • Google Maps Tiles: https://*.google.com/vt/
  • OpenStreetMap Tiles: https://*.tile.openstreetmap.org/
1 Like

I have a deployed/released extension using Leaflet and OpenStreetMap. Not using GoogleMaps as I think theres a schnanigan invovled with the licensing/access keys so I avoided it iirc

Make sure to explicitly describe in your Release Notes why you have included a domain that uses a wildcard and ensure it’s as restrictive a wildcard rule as possible.

Edit for verbosity: IE if you do not explain your choices, Twitch are not going to research why you are asking to use such and such a rule. They can’t/won’t know about all Mapping services. (or certain CDN’s that use wildcard subs domains etc)

It sounds like you tried to use a very open rule in your initial submission

Edit b:

Your second bullet point is one of the rules I have in my list.

The google one seems a bit vague to me which might be the issue. But I havn’t poked around with Google Maps recently to know if you can build a more restrictive rule.

Thanks for the reply Barry,

Question is really how I could allow the “https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png” and/or “https://{s}.google.com/vt/lyrs=s,h&x={x}&y={y}&z={z}&hl=en” URLs in the allow list and not how to use them in the extension source code

I already have a working extension in the “Hosted Test” state, using OSM and GoogleMaps tiles and the wildcard subdomains I mentioned as its allowlist. But from my past experience with GoogleMaps tiles domains in the allowlist, I want to make sure to add the minimally required URLs only to the allowlist and not get the whole review thrown to trash because of it.

Since I can’t see your extension’s allowlist for openstreetmap, could you share what you have it set to ? Because tile.openstreetmap has subdomains a, b, c, d etc. , did you include all of those or used https://*.tile.openstreetmap.org/ since it basically covers all ? Thanks for the edits.

Added more stuff as my brain started to kick in. I have a mug of tea somewhere brewing. SHIT MY TEA brbs Ok I’m back with the tea.

You just need to know which extension it is and it’s in the headers when the HTML is loaded. :stuck_out_tongue: (Under the content-security-policy header). My public stuff isn’t that hard to find!

The Live CSP (pulled from the TwitchPage of, and with the rules for FlightSimTrack added) currently stands at:

content-security-policy: default-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv; block-all-mixed-content; img-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://static-cdn.jtvnw.net https://*.tile.openstreetmap.org/ https://ows.mundialis.de/ https://*.tile.maps.openaip.net/ https://*.tiles.openrailwaymap.org/ https://basemap.nationalmap.gov/ https://www.google-analytics.com data: blob:; media-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv data: blob:; frame-ancestors https://supervisor.ext-twitch.tv https://extension-files.twitch.tv https://*.twitch.tv https://*.twitch.tech https://localhost.twitch.tv:* https://localhost.twitch.tech:* http://localhost.rig.twitch.tv:*; font-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://fonts.googleapis.com; connect-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://twitch.extensions.barrycarlyon.co.uk https://www.google-analytics.com https://stats.g.doubleclick.net; script-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://extension-files.twitch.tv https://www.google-analytics.com;

And thats what I used to build out my test system (see end of post for the NPM Module, which could be adapted to other test server scenarios (IE Not hosted test))

For the record my Allowlist for Image Domains for the Extension FlightSimTrack is:

https://*.tile.openstreetmap.org/, https://ows.mundialis.de/, https://*.tile.maps.openaip.net/, https://*.tiles.openrailwaymap.org/, https://basemap.nationalmap.gov/

Which sits after the TwitchCDN and before GoogleAnalytics in the list above.

Not sure what would work best for google since I don’t use Google Maps (licensing/cost issue)

And I explicitly explained in my Release notes why I have wildcards in there and the purpose of those domains. (I’d have to dig if I kept those notes about but the key part was explaining my choices)

So this should be a valid CSP Rule: if you wanted to narrow it down to the z/x/y folder of the domain.

Resource: https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
ValidCSP: https://*.tile.openstreetmap.org/*/*/*.png

I’d probably omit .png off the end in case they surprise switched to .webp or something, but then you’d have to update leaflet’s configuration (yay release cycle) or have a way to dynamically update what you are feeding to leaflets configuration.

(Yes the dev console says “base URLs” but any valid CSP rule should be valid here)

CSP rules can be specifiic down to the resource. see under Hosts Values - Content-Security-Policy - HTTP | MDN

And for full schbang on the brain dump of CSP heres the !csp command from the TwitchDev Discord

I expect the issue here is really google’s domain if it’s just *.google.com it’s far too open also depends on what data layers (if any) you are using.

Hope this helps it got long winded and rambly