| title | url | weight | description | tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Maps CSP |
/appstore/widgets/security/content-security-policy/maps-csp/ |
20 |
Describe the configuration for map widget content security policy |
|
The Maps widget requires access to a map provider (the exact provider is based on your configuration) in order to work. Below, you can see the allowlist domains you need to set up for each available provider.
You can enable allowlist CSP for Google Maps by including these domains:
script-src 'self' https: blob:;
img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;
frame-src *.google.com;
connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;
font-src https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
worker-src blob:;
{{% alert color="info" %}} This list is subject to change by Google Maps. For more first-party details, see Google Maps' content security policy.
You can also look at Google Maps' domain access list for details on host name access requirements. {{% /alert %}}
You can enable allowlist CSP for Open Street Maps by including these domains:
script-src 'self';
img-src 'self' https://*.tile.osm.org data:;
You can enable enable allowlist CSP for Mapbox by including these domains:
worker-src blob: ;
child-src blob: ;
img-src data: blob: ;
connect-src https://api.mapbox.com https://events.mapbox.com ;
{{% alert color="info" %}} For more first-party details, see Mapbox's content security policy. {{% /alert %}}
You can enable allowlist CSP for HERE Maps by including these domains:
script-src 'self';
img-src 'self' https://*.base.maps.cit.api.here.com data:;