CSP for Typeform and Survey Embeds
If you embed Typeform, SurveyMonkey, Google Forms, or similar widgets, CSP gets annoying fast. The failure mode is usually the same: the survey box is blank, the console screams about frame-src or script-src, and someone “fixes” it by throwing https: into half the policy. That works, but it also guts the point of CSP. I’d rather ship a tight policy and open only what the embed actually needs. The common CSP directives for survey embeds For most survey providers, these are the directives that matter: ...