CSP for Loom Embeds: Common Mistakes and Fixes
Loom embeds look simple: paste an iframe, ship it, move on. Then CSP blocks it, the video area goes blank, and somebody “fixes” it by slapping https: into frame-src or loosening half the policy. I’ve seen this happen more than once. Loom is exactly the kind of third-party embed that exposes weak CSP habits: developers guess at directives, over-allow sources, or forget that an iframe usually pulls in more than one origin. ...