Posts

Twind is great when you want Tailwind-style utilities without a build step. The CSP story is where things get annoying. The problem is simple: Twind often injects CSS at runtime using a <style> tag. CSP hates that unless you explicitly allow it. If you try to run Twind under a strict policy without planning for style injection, your app looks broken fast. This guide is the practical version: what breaks, what policy you need, and the least-painful ways to make Twind work. ...

Boxicons looks simple from the frontend side: drop in a stylesheet, use a class like bx bx-home, and move on. Then CSP shows up and your icons quietly disappear. I’ve seen this happen a lot because Boxicons sits in an awkward spot for CSP. It’s “just icons,” but depending on how you load it, you may need to allow a stylesheet, font files, maybe images, and sometimes a CDN you forgot you were using. If your policy is tight — which it should be — Boxicons is exactly the kind of third-party asset that gets blocked first. ...

Ghost embeds are easy to drop into a page and easy to forget from a CSP perspective. That’s where people get burned: the embed works in development, then production CSP blocks it, or worse, someone loosens the policy with script-src * and calls it done. Don’t do that. If you’re embedding Ghost content, membership widgets, or Portal-related UI on your site, you need to explicitly allow the right sources and keep the policy tight everywhere else. The good news is Ghost’s embed surface is pretty manageable if you approach it methodically. ...

TikTok embeds look simple: paste a blockquote, load their script, done. Then your CSP blocks it and suddenly you’re staring at a blank box, console noise, and a product manager asking why the campaign page is broken. I’ve seen this pattern a lot. Teams start from a pretty strict policy, add TikTok, and either overcorrect by allowing half the internet or undercorrect and leave the embed half-broken. The sweet spot is narrower than people think. ...

Font Awesome is one of those libraries that looks harmless until CSP gets involved. Then suddenly half your icons disappear, the browser starts shouting about blocked fonts or styles, and somebody suggests adding https: everywhere until the warnings stop. That usually “works,” but it also guts your policy. If you’re using Font Awesome with a Content Security Policy, the failures usually come from a few predictable mistakes: allowing the CSS but not the font files allowing the kit script but not the injected styles self-hosting some assets and loading others from a CDN relying on default-src and assuming it covers everything you need fixing breakage with unsafe-inline when the real problem is somewhere else Here’s what goes wrong and how I’d fix it. ...

Teams love design systems because they make UI feel consistent. Security teams usually get handed the bill later. That’s exactly where CSP gets painful in a Gestalt-style frontend: lots of reusable components, analytics hooks, consent tooling, embedded assets, and a build pipeline that mixes app code with third-party scripts. If you’re working on a Pinterest-like stack using Gestalt components, you can’t treat Content Security Policy as a checkbox. You need a policy that survives real product code. ...

Plotly.js is great until you put a real Content Security Policy in front of it. I’ve seen this go the same way a bunch of times: charts work fine in local dev, someone adds a decent CSP in staging, and suddenly the graph is blank, console errors pile up, and the quick “fix” is to throw 'unsafe-inline' and 'unsafe-eval' into the policy. That usually gets the chart rendering again, but it also guts the point of having CSP. ...

Reddit embeds look simple until your CSP starts blocking them. I’ve hit this a few times: product wants a Reddit post embedded on a marketing page, security wants a tight policy, and suddenly you’re trying to figure out whether you need frame-src, script-src, connect-src, or all three. The answer depends on how you embed Reddit, and that choice has real security and maintenance tradeoffs. If you’re building for a developer audience, the biggest mistake is treating “support Reddit embeds” as one CSP change. It’s not. There are a few patterns, and each one expands your policy in different ways. ...

Leaflet looks simple until you lock down your site with Content Security Policy. Then the map goes blank, markers disappear, plugin styles break, and you end up staring at DevTools wondering why a harmless map library suddenly needs half the internet. I’ve hit this enough times that I treat Leaflet as a CSP integration task, not just a UI widget. The good news: most failures come from a handful of repeat mistakes. ...

Instagram embeds are one of those things that look simple until CSP gets involved. You paste the embed code, reload the page, and suddenly the post is blank, the console is yelling about blocked frames or scripts, and someone suggests adding https: to half your policy. That usually “works,” but it also wrecks the point of having CSP in the first place. If you want Instagram embeds and a CSP that still means something, you need to decide which tradeoff you’re willing to accept. ...