maps.googleapi.com in our policy:
Your policy might look like this:
Without such a policy, we would get an error in our browser, for example:
Content Security Policy: The page's settings blocked the loading of a resource at https://maps.googleapis.com/maps/api/js?key=... ("script-src")
You will notice that the images loaded may differ depening on what type of map you are using. You may see something like this in your network log:
maps.gstatic.com- loads various img assets for the map such as cross hair curors, a plain marker, the google logo, etc.
maps.googleapis.com- loads tiles of the map
data:image/svg+xml- several resources are loaded as SVG using data URIs
khms0.googleapis.com- load satalite images for the map. We will use
*.googleapis.comin our policy to allow all similar domains.
geo0.ggpht.com- loads street view images, this could be from a few different similar subdomains so we will use
*.ggpht.comin our content security policy.
img-src data: maps.gstatic.com *.googleapis.com *.ggpht
Without this we might get an error in the console such as:
Refused to load the img 'https://maps.googleapis.com/...' because it violates the following Content Security Policy directive: "img-src 'self'".
Content-Security-Policy header that works with Google Maps might look like this:
Content-Security-Policy: script-src maps.googleapis.com;img-src data: maps.gstatic.com *.googleapis.com *.ggpht