https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1289472#M81169 <P>Based on the error message in the screenshot, it appears that the issue is related to the Content Security Policy (CSP) settings blocking the loading of the map. To resolve this issue, you can modify your CSP settings to allow the necessary domains for the map to render properly.</P><P>The script-src directive should include the domains used by the map, such as js.arcgis.com. Also, the img-src directive should allow *.arcgis.com for loading map images.</P><P>Here's an updated version of your CSP settings:</P><P>plaintext<BR />Copy code<BR />frame-ancestors 'self';<BR />block-all-mixed-content;<BR />default-src 'self';<BR />script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' js.arcgis.com;<BR />style-src 'self' 'report-sample' 'unsafe-inline' js.arcgis.com;<BR />object-src 'none';<BR />frame-src 'self';<BR />child-src 'self';<BR />img-src 'self' data: blob: *.arcgis.com;<BR />font-src 'self' data: js.arcgis.com;<BR />connect-src 'self' *.arcgisonline.com *.arcgis.com;<BR />manifest-src 'self';<BR />base-uri 'self';<BR />form-action 'self';<BR />media-src 'self';<BR />prefetch-src 'self';<BR />worker-src 'self' blob:;<BR />With these updated CSP settings, you should allow the necessary domains for the map to render without being blocked by the Content Security Policy.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;Rachel Gomez</P> Tue, 16 May 2023 05:38:16 GMT RachelGomez 2023-05-16T05:38:16Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1288749#M81148 <P>Good Day<BR /><BR />I'm trying to configure a CSP header, and every time I try to load one of the maps, it just doesn't render, this is what I get:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Screenshot from 2023-05-12 15-39-15.png" style="width: 200px;"><img src="https://community.esri.com/t5/image/serverpage/image-id/70553i3B7B3058A13B08E0/image-size/small?v=v2&amp;px=200" role="button" title="Screenshot from 2023-05-12 15-39-15.png" alt="Screenshot from 2023-05-12 15-39-15.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>This is my CSP setting:<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="c">frame-ancestors 'self'; block-all-mixed-content; default-src 'self'; script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' style-src 'self' 'report-sample' 'unsafe-inline' js.arcgis.com object-src 'none'; frame-src 'self' child-src 'self'; img-src 'self' data: blob: *.arcgis.com font-src 'self' data: js.arcgis.com; connect-src 'self' *.arcgisonline.com *.arcgis.com manifest-src 'self'; base-uri 'self'; form-action 'self'; media-src 'self' prefetch-src 'self'; worker-src 'self' blob:;</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>What do I need to add, or change?<BR /><BR />Thanks</P> Fri, 12 May 2023 19:42:32 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1288749#M81148 AndrewMurdoch1 2023-05-12T19:42:32Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1289472#M81169 <P>Based on the error message in the screenshot, it appears that the issue is related to the Content Security Policy (CSP) settings blocking the loading of the map. To resolve this issue, you can modify your CSP settings to allow the necessary domains for the map to render properly.</P><P>The script-src directive should include the domains used by the map, such as js.arcgis.com. Also, the img-src directive should allow *.arcgis.com for loading map images.</P><P>Here's an updated version of your CSP settings:</P><P>plaintext<BR />Copy code<BR />frame-ancestors 'self';<BR />block-all-mixed-content;<BR />default-src 'self';<BR />script-src 'self' 'report-sample' 'unsafe-inline' 'unsafe-eval' js.arcgis.com;<BR />style-src 'self' 'report-sample' 'unsafe-inline' js.arcgis.com;<BR />object-src 'none';<BR />frame-src 'self';<BR />child-src 'self';<BR />img-src 'self' data: blob: *.arcgis.com;<BR />font-src 'self' data: js.arcgis.com;<BR />connect-src 'self' *.arcgisonline.com *.arcgis.com;<BR />manifest-src 'self';<BR />base-uri 'self';<BR />form-action 'self';<BR />media-src 'self';<BR />prefetch-src 'self';<BR />worker-src 'self' blob:;<BR />With these updated CSP settings, you should allow the necessary domains for the map to render without being blocked by the Content Security Policy.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;Rachel Gomez</P> Tue, 16 May 2023 05:38:16 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1289472#M81169 RachelGomez 2023-05-16T05:38:16Z https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1289636#M81177 <P>Thanks for the suggestion.<BR /><BR />The issue, I was missing: <A href="https://js.arcgis.com/4.26/@arcgis/core/assets/esri/core/workers/RemoteClient.js" target="_blank">https://js.arcgis.com/4.26/@arcgis/core/assets/esri/core/workers/RemoteClient.js</A> in script-src.&nbsp; Once I added that the workers were able to load and everything, so far, has been working great.</P><P>&nbsp;</P><P>Thanks</P> Tue, 16 May 2023 15:23:04 GMT https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/csp-header-setting/m-p/1289636#M81177 AndrewMurdoch1 2023-05-16T15:23:04Z