Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form below and we will reply as soon as possible.

  • Appcues Certifications & Training
  • Contact Us
  • Home
  • User Experiences
  • FAQ

FAQ: Content Security Policies

Updated at January 17th, 2023

Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form with the details about the help content you'd like to see.

  • Installation & Developers
    Installing Appcues Installing Appcues Mobile API & Data Troubleshooting Extras
  • User Experiences
    Web Experiences Building Web Experiences Building Mobile Experiences Customization & Styling Targeting Studio Troubleshooting Use Cases FAQ
  • Mobile
    Installation & Overview Building Mobile Experiences Mobile Analytics Troubleshooting Mobile Use Cases
  • Account Management
    Subscription Users & Data
  • Analytics
    Experience and Event Analytics Data
  • Best Practices
    Use Cases Pro Tips PLG FAQ
  • Integrations
    Integration Documents Use Cases Resources
  • Post-mortem
    System Incidents
+ More

Table of Contents

A note on 'unsafe-inline'

Some software products use a content security policy that automatically blocks resources that are not explicitly allowed. Such security policies may cause Appcues' editor or SDK to fail to load properly. If your product has a content security policy that is impacting Appcues' editor or SDK, you will want to extend that CSP with a number of resources that Appcues requires.

You'll need to add the following Content Security Policy settings on your end:

frame-src    'self' https://*.appcues.com;
font-src     'self' https://fonts.gstatic.com;
style-src    'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src   'self' https://*.appcues.com https://*.appcues.net;
img-src      'self' https://*.appcues.com https://*.appcues.net res.cloudinary.com twemoji.maxcdn.com;
connect-src  https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;

Please reach out to us at support@appcues.com if you have any questions on the above.

A note on 'unsafe-inline'

The above content security policy is functional and secure. Some organizations prefer to have the 'unsafe-inline' as specified in row 2 above. While it is possible to remove this directive, if you do the following Appcues functions will no longer work properly:

  • Themes & In-line Styling

NOTE: If you are using a Locked Version of the SDK (Anything lower than 4.39.41) then you will want to have unsafe-inline specified in rows 2 AND 3 above. While it is possible to remove this directive from those lines, if you do the following Appcues functions will no longer work properly:

  • Themes & In-line Styling
  • The Actions option on the Flow Settings page
  • Trigger Flow Buttons in the Builder

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Personalizing Flows
  • Studio: Diagnostics Tool
  • Managing Flows
  • Checklist FAQ
Appcues logo

Product

Why Appcues
How it works
Integrations
Security
Pricing
What's new

Use cases

User Onboarding Software
Feature Adoption Software
NPS & Surveys
Announcements
Insights
Mobile Adoption

Company

About
Careers
we're Hiring

Support

Developer Docs
Contact

Resources

The Appcues Blog
Product Adoption Academy
GoodUX
Case studies
Webinar Series
Made with Appcues
Appcues University

Follow us

Facebook iconTwitter icon greyLinkedin iconInstagram icon
© 2022 Appcues. All rights reserved.
SecurityTerms of ServicePrivacy Policy
Expand