Forms

ConvertKit forms are simple to embed, but they’re annoying from a CSP perspective for one reason: most teams start with a tight policy, paste in the form snippet, and then the browser blocks half of it. I’ve had to fix this a few times. The pattern is usually the same: the form loader script is blocked inline styles or scripts get blocked form submission fails because connect-src or form-action is too strict success messages or embeds break inside an iframe This guide is the practical version: what to allow, what to avoid, and copy-paste policies you can start with. ...

AWeber form embeds are the kind of thing teams paste into production on a Friday afternoon and only think about again when signups mysteriously stop working. I’ve seen this pattern a lot: the site starts with a pretty solid Content Security Policy, marketing drops in an email signup form, and suddenly the browser console fills with CSP violations. The usual reaction is to loosen the policy until the errors disappear. That works, but it also trashes the point of having CSP in the first place. ...