Skip to content Skip to sidebar Skip to footer

How To Allow Content Security Policy To Run External Javascript From Google Api?

This is my current script-src content security policy for my app: script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://maps.gstatic.com; trying to load the followi

Solution 1:

I had the same problem but was able to resolve it by using a hash with https://*.googleapis.com whitelisted.

The script-src directive lets developers whitelist a particular inline script by specifying its hash as an allowed source of script.

Usage is straightforward. The server computes the hash of a particular script block’s contents, and includes the base64 encoding of that value in the Content-Security-Policy header.

For example:

<metahttp-equiv="Content-Security-Policy"content="script-src 'self' 'sha256-...4aQo=' https://*.googleapis.com">

Note that for dynamic applications it's better to use a nonce.

Hope this helps!

Post a Comment for "How To Allow Content Security Policy To Run External Javascript From Google Api?"