Content Security Policy (CSP) with Lazy Loaded Maps API

[michaelgregson]

Hello all,

When Lazy Loading the Maps API as per the docs; what is the appropriate way to secure a CSP to satisy the CSP Evaluator?

script-src https://maps.googleapis.com/;

Allows the script to work, but the evaluator prefers nonces or hashes which I am unsure how to implement when loaded this way.

In addition, specifying trusted types:

trusted-types angular angular#bundler; require-trusted-types-for 'script';

Results in the error this document requires 'TrustedScriptURL' assignment.

Thank you in advance for any advice; I appreciate this issue is not specific to this lazy loading implementation but I have been unable to find any answers elsewhere.