CSP for ConvertKit Forms: Copy-Paste Policies
ConvertKit forms are simple to embed, but they’re annoying from a CSP perspective for one reason: most teams start with a tight policy, paste in the form snippet, and then the browser blocks half of it. I’ve had to fix this a few times. The pattern is usually the same: the form loader script is blocked inline styles or scripts get blocked form submission fails because connect-src or form-action is too strict success messages or embeds break inside an iframe This guide is the practical version: what to allow, what to avoid, and copy-paste policies you can start with. ...