Javascript

Chart.js v4 is one of the easier charting libraries to run under a strict Content Security Policy. That’s the good news. The less fun part: “easier” does not mean “automatic.” The moment you mix Chart.js with inline bootstrapping code, third-party plugins, CDN delivery, tag managers, or framework hydration tricks, your policy gets messy fast. I’ve had to clean this up more than once, and the pattern is always the same: the chart library itself is usually fine, but the surrounding app code quietly punches holes in CSP. ...

Highlight.js is usually easy to lock down with Content Security Policy. The core library does not need eval, it does not need inline event handlers, and it works fine under a strict policy if you load it like a normal script. The place where people get sloppy is theming. They drop in inline <style> blocks, use broad CDN allowlists, or keep style-src 'unsafe-inline' around because syntax highlighting “needs it”. It doesn’t. ...

Cotiless had the kind of frontend stack I see all the time: marketing scripts, analytics, consent tooling, a couple of “just paste this snippet” integrations, and a team that wanted security without breaking the site. That’s exactly where CSP gets messy. The goal wasn’t to build the most academic Content Security Policy. The goal was to ship a policy that reduced XSS risk, survived real production traffic, and didn’t turn every release into a blame game between security and frontend. ...

MathJax is one of those libraries that looks harmless until you lock down your CSP and everything explodes. You ship a clean policy, reload the page, and suddenly your equations stay as raw TeX, inline styles get blocked, fonts don’t load, and the console turns into a crime scene. I’ve seen teams blame MathJax, blame CSP, then quietly add 'unsafe-inline' everywhere just to make the pain stop. That works, but it’s a bad trade. ...

I’ve seen this pattern a lot: a team adds MapLibre GL JS to an otherwise locked-down site, ships to staging, and the map quietly explodes under Content Security Policy. No tiles. No markers. Maybe the page itself works, but the console fills up with CSP errors about workers, styles, images, and network requests. Then somebody reaches for 'unsafe-inline' or loosens connect-src to https: and calls it a day. That’s how good CSPs die. ...

D3.js v7 is pretty friendly to Content Security Policy compared to older frontend stacks. It does not need eval, it does not inject mystery scripts, and it mostly sticks to normal DOM APIs. That’s the good news. The bad news is that D3 usually lives inside apps that do all the annoying CSP-breaking stuff around it: inline bootstrapping, dynamic data loading, CSS in <style> blocks, analytics tags, and third-party embeds. So the trick is not “make D3 work.” The trick is “make D3 work without punching a giant hole in your policy.” ...

Ghost embeds are easy to drop into a page and easy to forget from a CSP perspective. That’s where people get burned: the embed works in development, then production CSP blocks it, or worse, someone loosens the policy with script-src * and calls it done. Don’t do that. If you’re embedding Ghost content, membership widgets, or Portal-related UI on your site, you need to explicitly allow the right sources and keep the policy tight everywhere else. The good news is Ghost’s embed surface is pretty manageable if you approach it methodically. ...

Plotly.js is great until you put a real Content Security Policy in front of it. I’ve seen this go the same way a bunch of times: charts work fine in local dev, someone adds a decent CSP in staging, and suddenly the graph is blank, console errors pile up, and the quick “fix” is to throw 'unsafe-inline' and 'unsafe-eval' into the policy. That usually gets the chart rendering again, but it also guts the point of having CSP. ...

Leaflet looks simple until you lock down your site with Content Security Policy. Then the map goes blank, markers disappear, plugin styles break, and you end up staring at DevTools wondering why a harmless map library suddenly needs half the internet. I’ve hit this enough times that I treat Leaflet as a CSP integration task, not just a UI widget. The good news: most failures come from a handful of repeat mistakes. ...

PDF.js is one of those libraries that looks simple until CSP gets involved. You drop in the viewer, load a PDF, and everything works locally. Then you turn on a real Content Security Policy and suddenly the worker fails, fonts disappear, images stop rendering, or the whole viewer goes blank with a useless console error. I’ve hit this a few times. The pattern is usually the same: people start with a generic CSP, then keep adding exceptions until the app works again. That usually ends with unsafe-inline, unsafe-eval, and a policy that technically exists but doesn’t really protect anything. ...