Amap Content Security Policy

While I was developing a web app that uses API from the Chinese map provider Amap (by AutoNavi), I was confused by the fact that it did not provide a list of their domains that should be allowed under the Content Security Policy. Other blogs I found online either contained outdated information or told me to not use CSP at all. Therefore, I decided to create a CSP by myself and publish it here for any developer facing the same issue.

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://webapi.amap.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://webapi.amap.com https://vdata.amap.com https://*.is.autonavi.com; frame-ancestors 'none'; worker-src blob:; connect-src 'self' https://*.amap.com

Also, I found that Amap was trying to load a suspicious script from https://restapi.amap.com/v3/log/init. Probably a tracker from its URI. Other than that, there are also some suspicious, empty images. All of these were not included in the CSP above for privacy reasons.