Ab-Testing

A/B testing tools and strict CSP have a messy relationship. VWO is a good example. Marketing wants fast experiments. Security wants a locked-down policy. Engineering gets stuck in the middle, usually after someone ships unsafe-inline and calls it “temporary.” I’ve had to clean this up more than once. If you’re running VWO on a site with a real Content Security Policy, you need to make a choice: loosen CSP enough for VWO to work easily, or keep a stricter policy and accept extra setup, testing, and occasional friction. ...

A/B testing sounds harmless until it collides with a strict Content Security Policy. That’s where teams usually get stuck with PostHog experiments. Product wants fast iteration. Security wants a locked-down CSP. Engineering gets to mediate the fight. I’ve dealt with this a few times, and the bad news is there’s no magic CSP switch for “safe experimentation.” The good news is you do have a few workable patterns, and each one has pretty clear tradeoffs. ...