FAQ: Content Security Policies

Some software products use a content security policy that automatically blocks resources that are not explicitly allowed. Such security policies may cause Appcues' editor or SDK to fail to load properly. If your product has a content security policy that is impacting Appcues' editor or SDK, you will want to extend that CSP with a number of resources that Appcues requires. 

You'll need to add the following Content Security Policy settings on your end:

frame-src    'self' https://*.appcues.com;
style-src    'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src   'self' https://*.appcues.com https://*.appcues.net 'unsafe-inline';
img-src      'self' res.cloudinary.com twemoji.maxcdn.com;
connect-src  https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;

Please reach out to us at support@appcues.com if you have any questions on the above.

A note on 'unsafe-inline'

The above content security policy is functional and secure.  Some organizations prefer to have the ' unsafe-inline' as specified in rows 2 and 3 above. While is possible to remove this directive, if you do, the following Appcues functions will no longer work properly.

Flow Settings > Actions

In your flow settings, you're given the option to choose an action to perform when a flow completes. These actions depend on unsafe-inline, and will not function if unsafe-inline is removed. In addition, if any of the following Flow settings are checked on the Flow and unsafe-inline is removed and if a user opens their browser's JavaScript console they will see an error, which is harmless.  

Builder "Trigger Flow" buttons

When configuring a button in the builder, one option is to configure the button to "Trigger Flow". This functionality will not work if the unsafe-inline directive is removed.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.