CSP for Cusdis Comments: iframe vs self-hosted
Cusdis is one of those tools that looks deceptively simple from a CSP perspective. It’s “just comments,” until you wire it up and realize you’ve now introduced third-party scripts, API calls, maybe an iframe, maybe your own deployment, and a bunch of policy decisions you’ll need to defend later. If you care about keeping a tight Content Security Policy, Cusdis is actually pretty manageable. Better than many ad-heavy comment systems, honestly. But the right CSP depends heavily on how you use it: ...