Google-Custom-Search

Google Custom Search looks simple until you put a real Content Security Policy in front of it. Then things break in annoying, non-obvious ways: scripts stop loading, inline styles get blocked, result iframes fail, and your console turns into a CSP crime scene. I’ve had this happen more than once. The usual mistake is starting with a clean locked-down policy and assuming Google’s search widget behaves like a normal self-hosted component. It doesn’t. It pulls scripts, images, styles, and frames from multiple Google domains, and if you miss even one, the widget half-renders or silently fails. ...