Some software products use a content security policy that automatically blocks resources that are not explicitly allowed. Such security policies may cause Appcues' editor or SDK to fail to load properly. If your product has a content security policy that is impacting Appcues' editor or SDK, you will want to extend that CSP with a number of resources that Appcues requires.

You'll need to add the following Content Security Policy settings on your end:

frame-src    'self' https://*.appcues.com;
font-src     'self' https://fonts.gstatic.com;
style-src    'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src   'self' https://*.appcues.com https://*.appcues.net;
img-src      'self' https://*.appcues.com https://*.appcues.net res.cloudinary.com cdn.jsdelivr.net;
connect-src  https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;

Please reach out to us at support@appcues.com if you have any questions on the above.

A note on 'unsafe-inline'

The above content security policy is functional and secure. Some organizations prefer to not have the 'unsafe-inline' as specified in row 3 above. While it is possible to remove this directive, if you do the following Appcues functions will no longer work properly:

• Themes & In-line Styling

NOTE: If you are using a Locked Version of the SDK (Anything lower than 4.39.41) then you will want to have unsafe-inline specified in rows 2 AND 3 above. While it is possible to remove this directive from those lines, if you do the following Appcues functions will no longer work properly:

• Themes & In-line Styling
• The Actions option on the Flow Settings page
• Trigger Flow Buttons in the Builder