Content-Security-Policy

Turret CSS is just CSS, so on paper CSP should be easy: allow your stylesheet, block the weird stuff, move on. In practice, teams still break production layouts with CSP all the time. I’ve seen the same pattern over and over: someone tightens style-src, the app ships, and suddenly Turret CSS “doesn’t work.” Usually Turret isn’t the problem. The policy is. More specifically, the policy was written with JavaScript in mind and nobody checked how styles are actually loaded, injected, or modified across the app. ...

If you’ve ever dropped a Vimeo embed onto a page and then wired up the Vimeo Player API, you’ve probably hit the classic wall: the iframe renders, but the API fails in weird ways, or the iframe is blocked entirely by CSP. This happens a lot because Vimeo embeds are one of those features that cross several CSP directives at once. You’re not just allowing a script. You’re allowing a framed document, cross-origin messaging, and sometimes extra assets depending on how you load the player. ...

If you use Aragon icons and your CSP is even slightly off, the breakage is usually annoying, subtle, and easy to misdiagnose. You see missing icons, blank squares, CSP console noise, or everything works locally but fails in production. I’ve hit this enough times to have strong opinions about it: most CSP problems around icon libraries come from guessing which directive applies. People tweak default-src, maybe throw in img-src data:, and hope for the best. That’s not how CSP works. ...

Teams usually discover CSP problems with Linaria the annoying way: everything works in development, then production gets a stricter policy and styles start disappearing. I’ve seen this happen when a team moves from a relaxed policy to something closer to a real production header, like the one headertest.com sends: content-security-policy: default-src 'self' https://www.googletagmanager.com https://*.cookiebot.com https://*.google-analytics.com; script-src 'self' 'nonce-MjgzMGM0NjctNzg4MS00NTNiLThkN2UtNjY3N2VmMTRlOGUy' 'strict-dynamic' https://www.googletagmanager.com https://*.cookiebot.com https://*.google-analytics.com; style-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://*.cookiebot.com https://consent.cookiebot.com; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.headertest.com https://tallycdn.com https://or.headertest.com wss://or.headertest.com https://*.google-analytics.com https://*.googletagmanager.com https://*.cookiebot.com; frame-src 'self' https://consentcdn.cookiebot.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none' That header is realistic because it shows the usual compromise: strong script controls, but style-src 'unsafe-inline' left behind because CSS tooling got messy. ...

PDF.js is one of those libraries that looks simple until CSP gets involved. You drop in the viewer, load a PDF, and everything works locally. Then you turn on a real Content Security Policy and suddenly the worker fails, fonts disappear, images stop rendering, or the whole viewer goes blank with a useless console error. I’ve hit this a few times. The pattern is usually the same: people start with a generic CSP, then keep adding exceptions until the app works again. That usually ends with unsafe-inline, unsafe-eval, and a policy that technically exists but doesn’t really protect anything. ...

I’ve seen the same pattern over and over: a team adopts a utility-first CSS framework, ships fast, then bolts on CSP later and wonders why the site breaks in weird places. Pharaoh CSS is no exception. The good news is that CSS-heavy sites are usually easier to lock down than JavaScript-heavy apps. The bad news is that most teams still start with a lazy policy like style-src 'unsafe-inline', leave it there forever, and call it “good enough”. It usually isn’t. ...

bare.css is the kind of CSS library that security folks usually like: tiny, boring, and not trying to be a JavaScript framework in disguise. That changes the CSP conversation quite a bit. If your site uses bare.css and almost nothing else, you can usually run a very tight policy. If your “simple” site also includes analytics, consent banners, embedded forms, tag managers, and a couple of convenience scripts, your CSP gets messy fast. I’ve seen plenty of “minimal” websites end up with a header that looks like an ad-tech startup wrote it. ...

ApexCharts is one of those libraries that looks harmless until you turn on a strict Content Security Policy and parts of your charts suddenly stop rendering. I’ve hit this a few times in dashboards where everything worked fine locally, then failed in staging because CSP blocked inline styles or scripts. ApexCharts itself is pretty friendly compared to some older charting libraries, but you still need to account for how it injects styles and how your app loads it. ...

YouTube embeds look simple until CSP gets involved. The usual failure mode goes like this: you paste an <iframe> embed, add autoplay=1, ship a strict policy, and suddenly the video is blank or blocked in the console. Then someone “fixes” it by throwing https: into frame-src or loosening half the policy. That works, but it’s lazy and expensive from a security standpoint. Here’s the version I’d actually ship for a developer-facing site. ...

Milligram is tiny, clean, and boring in the best possible way. That makes it a great fit for a strict Content Security Policy. If your CSS framework is just a stylesheet and not a JavaScript carnival, you can usually lock things down harder than most teams think. I’ve seen the opposite happen in production: a simple site starts with Milligram, then marketing adds Google Tag Manager, analytics, a consent banner, maybe a form embed, and suddenly the CSP turns into a landfill of wildcard domains and unsafe-inline. ...