Split.io is easy to miss in a CSP until your flags stop loading and your app quietly falls back to defaults. I’ve seen this happen a lot: the SDK loads fine from your own bundle, but CSP blocks the network calls Split needs for streaming, polling, or event tracking. The result is subtle. No obvious crash, just “why are all my feature flags off in production?” This guide is the copy-paste version for getting Split.io working with Content Security Policy. ...
Feature flags sound harmless until they turn into “run arbitrary code from a remote dashboard.” I’ve seen teams build a custom flag system, then quietly smuggle in dynamic script loading, inline config blobs, third-party SDKs, and admin-controlled HTML. That’s exactly where Content Security Policy starts pulling its weight. If you’re building a custom flag system, CSP won’t design it for you. What it does is force you to be honest about how the system actually works. Are flags just booleans? Are they JSON payloads? Do they decide which already-shipped component renders? Or are they effectively a remote code execution mechanism with nicer branding? ...