I have the following line on the layout loading the google maps script:

<script src="https://maps.googleapis.com/maps/api/js?key=MY_KEY" async defer></script>

On the web.config, Content Security Policy is enabled allowing only self scripts and the *.googleapis.com

<content-Security-Policy enabled="true">
      <script-src self="true">
        <add source="*.googleapis.com"/>            
      </script-src>
    </content-Security-Policy>

When I open the page, google maps plugin is working fine. But I'm getting this error on the JavaScript console:

js?key=MY_KEY:318 Refused to connect to 'https://maps.googleapis.com/maps/api/mapsjs/gen_204?csp_test=true' because it violates the following Content Security Policy directive: "connect-src 'self'".

It seems like the google script is loading a second call to that other script. (And what's that csp_test=true means??) Even though the gmaps is working, I would like to get rid of that exception, and I'm not able to... Any help?

Thanks in advance!

CodePudding user response：

The script attempts to send data to maps.googleapis.com, but that is not allowed as you have restricted connect-src to 'self' only. You would likely need to add modify your configuration to this:

<content-Security-Policy enabled="true">
  <script-src self="true">
    <add source="*.googleapis.com"/>            
  </script-src>
  <connect-src self="true">
    <add source="*.googleapis.com"/>            
  </connect-src>
</content-Security-Policy>

You could also be more restrictive on the subdomain (maps.googleapis.com) or use the default-src directive instead.