If you want to embed Eraser in a site with a sane Content Security Policy, you have a few choices. None of them are perfect. The right one depends on whether you care more about tight isolation, easy maintenance, or preserving a very strict policy posture. I’ve had to make this tradeoff on production apps, and the pattern is always the same: the embed itself is easy, the CSP around it is where the mess starts. ...
Water.css is the kind of CSS framework I like for security work: tiny, boring, and mostly predictable. That matters for CSP because every extra build step, inline style hack, or third-party asset is another thing you need to allow. If you’re using Water.css, your CSP can usually stay tight. Most setups only need to allow your own origin for styles, or a single CDN if you’re loading it remotely. What Water.css changes in CSP Water.css is just a stylesheet. In the normal case, CSP impact is limited to: ...
Cotiless had the kind of frontend stack I see all the time: marketing scripts, analytics, consent tooling, a couple of “just paste this snippet” integrations, and a team that wanted security without breaking the site. That’s exactly where CSP gets messy. The goal wasn’t to build the most academic Content Security Policy. The goal was to ship a policy that reduced XSS risk, survived real production traffic, and didn’t turn every release into a blame game between security and frontend. ...
I’ve seen this pattern a lot: a team adds MapLibre GL JS to an otherwise locked-down site, ships to staging, and the map quietly explodes under Content Security Policy. No tiles. No markers. Maybe the page itself works, but the console fills up with CSP errors about workers, styles, images, and network requests. Then somebody reaches for 'unsafe-inline' or loosens connect-src to https: and calls it a day. That’s how good CSPs die. ...
A-Frame is a nice way to get WebXR scenes on the screen fast. You can ship VR or AR in a few tags, sprinkle in components, and call it a day. Then CSP shows up and breaks half the experience. I’ve seen this a lot: the app works locally, works in a relaxed staging setup, then production adds a real Content Security Policy and suddenly textures stop loading, inline components fail, analytics goes dark, and WebSocket features quietly die. ...
D3.js v7 is pretty friendly to Content Security Policy compared to older frontend stacks. It does not need eval, it does not inject mystery scripts, and it mostly sticks to normal DOM APIs. That’s the good news. The bad news is that D3 usually lives inside apps that do all the annoying CSP-breaking stuff around it: inline bootstrapping, dynamic data loading, CSS in <style> blocks, analytics tags, and third-party embeds. So the trick is not “make D3 work.” The trick is “make D3 work without punching a giant hole in your policy.” ...
Adobe Typekit — now usually called Adobe Fonts — is one of those services that looks simple until CSP enters the room. You paste the embed code, the fonts load, everyone is happy. Then you lock down your site with Content Security Policy and suddenly your typography falls back to Arial. I’ve had this break in production more than once. The annoying part is that Typekit needs more than one CSP directive, and the exact domains matter. If you only allow scripts, the stylesheet gets blocked. If you allow styles but forget fonts, the CSS loads and the fonts still fail. Classic. ...
Wistia embeds are one of those cases where a clean Content Security Policy gets messy fast. You start with a tight policy, add one video, and suddenly you’re dealing with frame-src, script-src, img-src, connect-src, media delivery, analytics, and a player that wants to talk to a handful of subdomains. If your site already runs a strict CSP, Wistia can feel like the one integration that pressures you into punching holes everywhere. ...
Font Awesome is one of those libraries that looks harmless until CSP gets involved. Then suddenly half your icons disappear, the browser starts shouting about blocked fonts or styles, and somebody suggests adding https: everywhere until the warnings stop. That usually “works,” but it also guts your policy. If you’re using Font Awesome with a Content Security Policy, the failures usually come from a few predictable mistakes: allowing the CSS but not the font files allowing the kit script but not the injected styles self-hosting some assets and loading others from a CDN relying on default-src and assuming it covers everything you need fixing breakage with unsafe-inline when the real problem is somewhere else Here’s what goes wrong and how I’d fix it. ...
Teams love design systems because they make UI feel consistent. Security teams usually get handed the bill later. That’s exactly where CSP gets painful in a Gestalt-style frontend: lots of reusable components, analytics hooks, consent tooling, embedded assets, and a build pipeline that mixes app code with third-party scripts. If you’re working on a Pinterest-like stack using Gestalt components, you can’t treat Content Security Policy as a checkbox. You need a policy that survives real product code. ...