Web-Security

Google Maps is one of those integrations that looks trivial right up until CSP starts blocking half of it. I’ve seen this play out a few times: the site already has a decent policy, someone drops in a Maps embed or the JavaScript API, and suddenly the console fills with CSP errors. The quick fix is usually script-src https://maps.googleapis.com 'unsafe-inline' plus a couple of random domains copied from Stack Overflow. That works, but it also turns a decent policy into a mushy one. ...

Google Pay is one of those integrations that looks tiny in code and then immediately punches a hole through your CSP if you guessed the source list wrong. You add a payment button, load the Google Pay JavaScript, open a payment sheet, and suddenly the browser starts yelling about blocked scripts, frames, or network connections. I’ve dealt with this enough times that I now treat payment integrations as CSP work first and feature work second. ...

If you embed Typeform, SurveyMonkey, Google Forms, or similar widgets, CSP gets annoying fast. The failure mode is usually the same: the survey box is blank, the console screams about frame-src or script-src, and someone “fixes” it by throwing https: into half the policy. That works, but it also guts the point of CSP. I’d rather ship a tight policy and open only what the embed actually needs. The common CSP directives for survey embeds For most survey providers, these are the directives that matter: ...

YouTube embeds look simple right up until your Content Security Policy starts blocking half the player. I’ve seen this trip up a lot of teams: the page works fine locally, then production sends a strict CSP header and suddenly the iframe is blank, thumbnails don’t load, or the player API silently fails. The fix usually isn’t “disable CSP.” It’s understanding which directives YouTube actually hits, and keeping the allowlist as tight as possible. ...

LaunchDarkly is one of those tools that looks harmless from a CSP perspective until it quietly breaks in production. The SDK initializes, flags never arrive, and the only clue is a blocked request buried in DevTools. I’ve seen this a lot with frontend teams that already have a decent CSP and assume feature flags are “just another script.” They usually aren’t. LaunchDarkly needs network access for streaming, polling, events, and sometimes bootstrapping behavior that doesn’t fit neatly into a locked-down policy. ...

Tailwind CSS is great right up until you try to lock down your site with a real Content Security Policy. Then the usual “just drop in the CDN script” advice falls apart. If you care about CSP, Tailwind setup choices matter. A lot. Some Tailwind patterns work cleanly with a strict policy. Others push you toward 'unsafe-inline' or 'unsafe-eval', which is exactly the kind of compromise you were probably trying to avoid. ...