Content security policy: how to allow more external sources

Question

I made this CSP for my asp.net application, to only use internal scripts and https://ajax.aspnetcdn.com:

<add name="Content-Security-Policy" value="default-src 'self'; object-src 'none'; img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com;style-src 'self' 'unsafe-inline'" />

But I need to use google maps api for some pages, and the browser block them with this error (I masked the api key here):

Refused to load the script 'https://maps.googleapis.com/maps/api/js?key=*******' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Is there a way to specify more external sources in the script-src section? Or I need to add another section?

I tried this:

<add name="Content-Security-Policy" value="default-src 'self'; object-src 'none'; img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com https://maps.googleapis.com;style-src 'self' 'unsafe-inline'" />

but the error change into this one:

Refused to connect to 'https://maps.googleapis.com/maps/api/mapsjs/gen_204?csp_test=true' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

So I tried adding this:

;connect-src 'self' 'unsafe-inline' 'unsafe-eval' https://maps.googleapis.com

But I get the first error.

I hope I explained it well: I was not able to find similar threads, so maybe I'm approaching the problem from the wrong angle.

Thanks

Answer 1

Ok I solved it adding the url in the script-src AND in a connect-src too:

Posting this for others with the some problem