Enabling the API when using CSP

If the application uses the Content Security Policy (CSP), then in order for the application to work correctly with the API, you need to include rules in the policy that will allow downloading resources from the required domains.

New CSP rules for API

We are implementing fixed CSP rules to ensure the security of your applications. For these rules, the API loading process has been modified to guarantee compatibility with modern security standards.

For a smooth migration, use the csp=202512 parameter in the API connection string (https://js.api.mappable.world?apikey=APIKEY&csp=202512). This will allow the API to work with the new CSP rules.

Starting April 1, 2026, the csp=202512 parameter will become optional, and the API will automatically work with the updated CSP rules.

Quick Start

For a quick start with the API and CSP, you can use the ready-made policy examples provided below. These policies include all the necessary rules for basic map operation and additional HTTP API methods.

Content-Security-Policy:
  script-src https://*.mappable.world 'unsafe-eval';
  connect-src https://*.mappable.world;
  style-src https://*.mappable.world;
  img-src data: https://*.mappable.world;
  worker-src data: https://*.mappable.world;

CSP rules for basic API operation

The table below shows the rules that need to be added to the application policy for basic API operation. The rules are listed separately for each directive.

Directive

Rules to add to the directive

script-src
  • https://*.mappable.world
  • 'unsafe-eval'

'unsafe-eval' required for the vector engine to parse tiles

connect-src
  • https://*.mappable.world

style-src
  • https://*.mappable.world

img-src
  • data:
  • https://*.mappable.world

worker-src
  • data:
  • https://*.mappable.world

If the policy is incorrectly defined for any API resource, the map (or its objects) will display incorrectly. The API does not track which resources have incorrectly defined policies. To get information about which map resources cannot be loaded, you can use the report-uri directive.

Below is an example policy with rules defined for working with the API:

Content-Security-Policy:
  script-src https://*.mappable.world 'unsafe-eval';
  connect-src https://*.mappable.world;
  style-src https://*.mappable.world;
  img-src data: https://*.mappable.world;
  worker-src data: https://*.mappable.world;

CSP rules for HTTP API requests

JS API has methods that make requests to HTTP API:

  • mappable.suggest – request to HTTP API geosuggest
  • mappable.search – request to HTTP API geosearch and geocoder
  • mappable.route - request to HTTP API route search

If the application uses these methods then for their correct operation add the domains of the corresponding APIs to the policy:

Method

Directive

Rules to add to the directive

mappable.suggest

connect-src

https://suggest.api.mappable.world

mappable.search

connect-src

https://geosearch.api.mappable.world

mappable.route

connect-src

https://router.api.mappable.world
Previous
Vue
Next
Entity system