CSP for Instagram Embeds: Options, Tradeoffs, and Pitfalls
Instagram embeds are one of those things that look simple until CSP gets involved. You paste the embed code, reload the page, and suddenly the post is blank, the console is yelling about blocked frames or scripts, and someone suggests adding https: to half your policy. That usually “works,” but it also wrecks the point of having CSP in the first place. If you want Instagram embeds and a CSP that still means something, you need to decide which tradeoff you’re willing to accept. ...