[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["缺少我需要的資訊","missingTheInformationINeed","thumb-down"],["過於複雜/步驟過多","tooComplicatedTooManySteps","thumb-down"],["過時","outOfDate","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["示例/程式碼問題","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-08-17 (世界標準時間)。"],[[["\u003cp\u003eThis document provides recommendations for configuring Content Security Policy (CSP) when using the Maps JavaScript API to ensure compatibility across various browsers.\u003c/p\u003e\n"],["\u003cp\u003eAll websites must specify \u003ccode\u003egoogleapis.com\u003c/code\u003e in their CSP directives by Q2 2023 for the Maps JavaScript API to function correctly.\u003c/p\u003e\n"],["\u003cp\u003eStrict CSP with nonce-based implementation is the recommended approach for enhanced security, requiring websites to add nonce values to \u003ccode\u003escript\u003c/code\u003e and \u003ccode\u003estyle\u003c/code\u003e elements.\u003c/p\u003e\n"],["\u003cp\u003eAllowlist CSP, while supported, requires referencing Google Maps Domains documentation and release notes to keep the allowlist current with new domains.\u003c/p\u003e\n"]]],["Developers should configure their website's Content Security Policy (CSP) for the Maps JavaScript API. Using strict CSP with nonce values for `script` and `style` elements is recommended. Websites must include `googleapis.com` in CSP directives, especially after Q2 2023. The API will apply the first found nonce to its inserted elements. Allowlist CSP users need to consult the list of Google Maps Domains and include any new domains, especially legacy or region-specific ones, in `script-src`.\n"],null,["This document provides recommendations for how to configure the website\nContent Security Policy (CSP) for the Maps JavaScript API. Since\na wide variety of browser types and versions are used by end users, developers\nare encouraged to use this example as a reference, fine-tuning until no further\nCSP violations occur.\n| **Note:** All websites should specify googleapis.com in their CSP directives. After Q2 2023 the Maps JavaScript API will reject all requests using CSP directives that do not specify googleapis.com ([learn more](/maps/deprecations#content-security-policy-update)).\n\n[Learn more about Content Security Policy](https://csp.withgoogle.com/).\n\nStrict CSP\n\nWe recommend using [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html)\nover allowlist CSP to mitigate the possibility of security attacks.\nMaps JavaScript API supports the use of nonce-based strict CSP.\nWebsites must populate both `script` and `style` elements with a nonce value.\nInternally, Maps JavaScript API will find the first such element,\nand apply its nonce value to style or script elements inserted by the API\nscript respectively.\n\nExample\n\nThe following example shows a sample CSP, along with an HTML page where it is\nembedded:\n\nSample Content Security Policy \n\n script-src 'nonce-{script value}' 'strict-dynamic' https: 'unsafe-eval' blob:;\n img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;\n frame-src *.google.com;\n connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;\n font-src https://fonts.gstatic.com;\n style-src 'nonce-{style value}' https://fonts.googleapis.com;\n worker-src blob:;\n\nSample HTML page \n\n \u003c!DOCTYPE html\u003e\n \u003chtml\u003e\n \u003chead\u003e\n \u003clink rel=\"stylesheet\" href=\"style.css\" nonce=\"{style value}\"\u003e\n \u003cstyle nonce=\"{style value}\"\u003e...\u003c/style\u003e\n ...\n \u003c/head\u003e\n \u003cbody\u003e\n \u003cdiv id=\"map\"\u003e\u003c/div\u003e\n \u003cscript src=\"https://maps.googleapis.com/maps/api/js?key=&callback=initMap\" async nonce=\"{script value}\"\u003e\u003c/script\u003e\n \u003cscript nonce=\"{script value}\"\u003e function initMap() { ... } \u003c/script\u003e\n \u003c/body\u003e\n \u003c/html\u003e\n\nAllowlist CSP\n\nIf you have set up allowlist CSP, please consult the [list of Google Maps Domains](/maps/gmp-domains).\nWe recommend consulting this document and the Maps JavaScript API\n[release notes](/maps/documentation/javascript/releases) to stay up to date,\nand include any new service domain into the allowlist if needed.\n\nWebsites which load the Maps JavaScript API from a legacy\nGoogle APIs domain (for example `maps.google.com`) or a region-specific domain\n(for example `maps.google.fr`), must also include these domain names in their\nCSP `script-src` setting, as shown in the following example: \n\n script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:;\n img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com *.googleusercontent.com data:;\n frame-src *.google.com;\n connect-src 'self' https://*.googleapis.com *.google.com https://*.gstatic.com data: blob:;\n font-src https://fonts.gstatic.com;\n style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;\n worker-src blob:;"]]
