I am using the google places autocomplete widget in my application per https://developers.google.com/maps/documentation/javascript/places-autocomplete. I am also setting a strict Content-Security-Policy header to improve the security of my application. One of my goals is to avoid unsafe-inline directives for both script-src and style-src. However, I noticed that when the autocomplete widget loads, it is inserting inline CSS in the <head> of the page, which violates my CSP unless I allow unsafe-inline in the style-src.
Is there way to get around this using this widget? Other libraries I use support a nonce approach, but I can't find anything like that in Google's documentation.
It seems this feature has already been requested (probably by you) in our Public Issuetracker. We would like to warmly invite you to view the issue in the Issue Tracker, and to star it to register your interest. This will subscribe you to receive technical updates on the issue. Starring the issue also provides us with valuable feedback on the importance of the issue to our customers, and increases the issue's priority with the product engineering team.
You can view and star the issue here: - https://issuetracker.google.com/132600807
This Issue Tracker entry is the authoritative source for public information regarding this issue, and all publicly-relevant updates will be posted there.