I can write parts of the code below:
index.html:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' https://maps.googleapis.com https://www.paypal.com; script-src-elem 'self' 'unsafe-eval' 'nonce-abc123' https://maps.googleapis.com https://www.paypal.com;">
map.jsx
useEffect(() => {
// Load Google Maps API script
const script = document.createElement('script');
script.src = `https://maps.googleapis.com/maps/api/js?key=${GOOGLE_API_KEY}&libraries=places`;
script.async = true;
script.onload = () => setMapLoaded(true);
document.head.appendChild(script);
return () => {
document.head.removeChild(script);
};
}, []);
The error:
index.js:2 Refused to load the script 'https://maps.googleapis.com/maps/api/js?key=HIDDEN_API_KEY&libraries=places' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
setting in .ic-assets.json
[
{
"match": "**/*",
"headers": {
"Permissions-Policy": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()",
"X-Frame-Options": "DENY",
"Referrer-Policy": "same-origin",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"X-XSS-Protection": "1; mode=block"
}
}
]