Whitelisting Appcues

Some software products utilize a content security policy which automatically blocks non-whitelisted resources. Such security policies may cause Appcues' editor or SDK to fail to load properly. If your product has a content security policy that is impacting Appcues' editor or SDK, you will want to whitelist a number of resources that they require. You'll need to add the following your Content Security Policy settings*:

frame-src    'self' https://my.appcues.com https://*.firebaseio.com;
style-src    'self' https://fast.appcues.com https://fonts.googleapis.com;
script-src   'self' https://fast.appcues.com https://my.appcues.com https://cdn.firebase.com https://*.firebaseio.com;
img-src      'self' https://vulpix.appcues.com https://res.cloudinary.com twemoji.maxcdn.com;
connect-src  https://fast.appcues.com https://api.appcues.net wss://api.appcues.net https://vulpix.appcues.com https://appcues-content-api-prod.herokuapp.com https://nh436jpc4i.execute-api.us-west-2.amazonaws.com https://104cl9psz3.execute-api.us-west-2.amazonaws.com https://*.firebase.com wss://*.firebaseio.com https://*.firebaseio.com;

Optionally, you can whitelist Appcues' bug reporting with:

connect-src https://notify.bugsnag.com

Note: At the moment we ask to include a wildcard option for firebase domains. We ask this to account for the fact that Firebase can update the subdomain name without notice. Since this tends to happen without us knowing beforehand, we often aren't able to give you a heads up.

Appcues takes matters of security extremely seriously and while we can definitely understand the concern of including a wildcard option, we believe that given the reputation of Firebase, this is the best option for our customers.

Please reach out to us at support@appcues.com if you have any questions on the above.