Stay organized with collections Save and categorize content based on your preferences.
This document provides recommendations for how to configure the website Content Security Policy (CSP) for the Maps JavaScript API. Since a wide variety of browser types and versions are used by end users, developers are encouraged to use this example as a reference, fine-tuning until no further CSP violations occur.
Note: All websites should specify googleapis.com in their CSP directives. After Q2 2023 the Maps JavaScript API will reject all requests using CSP directives that do not specify googleapis.com (learn more).Learn more about Content Security Policy.
Strict CSPWe recommend using strict CSP over allowlist CSP to mitigate the possibility of security attacks. Maps JavaScript API supports the use of nonce-based strict CSP. Websites must populate both script and style elements with a nonce value. Internally, Maps JavaScript API will find the first such element, and apply its nonce value to style or script elements inserted by the API script respectively.
The following example shows a sample CSP, along with an HTML page where it is embedded:
Sample Content Security Policyscript-src 'nonce-{script value}' 'strict-dynamic' https: 'unsafe-eval' blob:;
img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;
frame-src *.google.com;
connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;
font-src https://fonts.gstatic.com;
style-src 'nonce-{style value}' https://fonts.googleapis.com;
worker-src blob:;
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="style.css" nonce="{style value}">
<style nonce="{style value}">...</style>
...
</head>
<body>
<div id="map"></div>
<script src="https://maps.googleapis.com/maps/api/js?key=&callback=initMap" async nonce="{script value}"></script>
<script nonce="{script value}"> function initMap() { ... } </script>
</body>
</html>
If you have set up allowlist CSP, please consult the list of Google Maps Domains. We recommend consulting this document and the Maps JavaScript API release notes to stay up to date, and include any new service domain into the allowlist if needed.
Websites which load the Maps JavaScript API from a legacy Google APIs domain (for example maps.google.com) or a region-specific domain (for example maps.google.fr), must also include these domain names in their CSP script-src setting, as shown in the following example:
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:;
img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;
frame-src *.google.com;
connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;
font-src https://fonts.gstatic.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
worker-src blob:;
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-09 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-09 UTC."],[[["This document provides recommendations for configuring Content Security Policy (CSP) when using the Maps JavaScript API to ensure compatibility across various browsers."],["All websites must specify `googleapis.com` in their CSP directives by Q2 2023 for the Maps JavaScript API to function correctly."],["Strict CSP with nonce-based implementation is the recommended approach for enhanced security, requiring websites to add nonce values to `script` and `style` elements."],["Allowlist CSP, while supported, requires referencing Google Maps Domains documentation and release notes to keep the allowlist current with new domains."]]],["Developers should configure their website's Content Security Policy (CSP) for the Maps JavaScript API. Using strict CSP with nonce values for `script` and `style` elements is recommended. Websites must include `googleapis.com` in CSP directives, especially after Q2 2023. The API will apply the first found nonce to its inserted elements. Allowlist CSP users need to consult the list of Google Maps Domains and include any new domains, especially legacy or region-specific ones, in `script-src`.\n"]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4