diff --git a/.gitignore b/.gitignore
index 5e491c1..83fe6d6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ datasync/client_secret*.json
 datasync/credentials.json
 datasync/tokens/*
 datasync/temp_*
+desktop.ini
+*/desktop.ini
diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..a1a0112
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,3 @@
+Header add Content-Security-Policy "default-src 'self' *.mapbox.com data: blob:; style-src 'self' *.mapbox.com 'unsafe-inline' https:; style-src-elem *.mapbox.com https: 'unsafe-inline'; script-src 'self' *.mapbox.com 'unsafe-inline' https: blob:;"
+
+AddType application/json .geojson
diff --git a/README.md b/README.md
index 320fa2c..43d20e9 100644
--- a/README.md
+++ b/README.md
@@ -8,3 +8,16 @@ A webmap of the history of the residents of Old Ballard, funded by the King Coun
 Open a command line window, go to this folder, type `python -m SimpleHTTPServer 1883` (for Python 2) or `python -m http.server 1883` (for Python 3) or `python3 -m http.server 1883` (to explicitly select Python3 in an environment that also has Python 2 installed), and leave that session running.
 
 Then the page should be available at http://localhost:1883/ (you can change the number in the python command to also change it in the localhost URL).
+
+## Content Security Policy settings for a web server
+
+Depending on individual server settings, this project may need some [CSP configuration](https://content-security-policy.com/) on its host.  **Important: this behaviour may also be browser-specific** because the major browsers do not have consensus on which parts of the CSP spec they support, so it is essential to test a deployment in multiple browsers.
+
+If the map does not appear, check the javascript console.  If CSP is the issue, there will be one or more errors referencing `Content Security Policy`.  In this case, try the following:
+
+1. If the web server is Apache, directly copy the [.htaccess](.htaccess) file in this project to the same directory as [index.html](index.html).  If it's a different server, apply the same CSP directives in that server's syntax.
+2. That should dramatically reduce the number of errors.  But there may still be complaints about a `blob:https:DOMAINNAME/RANDOMSTRING` worker file.  In that instance, set the Content Security Policy `"worker-src 'self' blob:;"` *for the entire site*.  This is necessary because Mapbox spawns workers which appear to be at the site's root directory, even if this map is hosted in a subdirectory.
+
+## XML parsing errors in the Javascript Console
+
+Firefox will sometimes put `XML Parsing Error: not well-formed` in the console about `places.geojson`, because without a `.json` file extension it doesn't recognise the file as being JSON.  This error appears to be harmless--probably because the code in `onload.js` that parses that file explicitly uses `JSON.parse()` to do it--but looks alarming.  It can be silenced by setting the MIME type for `.geojson` files to `application/json`.  The included [.htaccess](.htaccess) file does this for Apache servers.
diff --git a/transcripts/desktop.ini b/transcripts/desktop.ini
deleted file mode 100644
index 4b8572d..0000000
Binary files a/transcripts/desktop.ini and /dev/null differ