Skip to main content
Apps run in a sandboxed iframe with strict security controls by default. App-level settings let you enable specific features on a per-app basis, giving you fine-grained control over what each app can do.

Requirements

Editor permissions or higher on a document are required to edit app settings.

Accessing app settings

To access an app’s settings:
  1. In an app, click Edit to enter draft mode.
  2. Near the top left corner of the page, click the icon (located next to Code).

Allow map providers

The Omni Agent can enable this setting automatically when you ask it to add a map to your app.
The Allow map providers setting allows maps in your app by enabling it to render tiles from keyless map providers. This setting is off by default and must be explicitly enabled by an editor. By default, apps can’t make outbound network requests or load external images — the iframe’s Content Security Policy (CSP) blocks them to prevent data exfiltration. When Allow map providers is enabled, Omni widens the CSP to permit image and network requests to the map providers’ tile servers and the CDNs their libraries load from. The allowed hosts are third-party services that the app author doesn’t control, so they can’t be used as a channel to exfiltrate query data (unlike a bring-your-own-key provider where the author could read request logs). The app never gains access to 'self', https:, or wildcard origins. The app can use the following providers when this setting is enabled. No additional setup is needed.
ProviderTypeLibrary
OpenStreetMapRaster tilesLeaflet
CartoRaster tilesLeaflet
CartoVector tiles (WebGL)MapLibre GL