Iframe

Redash embeds look simple: drop an <iframe> on the page and move on. Then CSP gets involved and suddenly the dashboard is blank, the browser console is yelling, and somebody suggests adding * everywhere. Don’t do that. When Redash embeds fail under CSP, the root cause is usually boring: the wrong directive, the wrong origin, or a policy applied on the wrong side of the iframe boundary. I’ve seen teams lose hours because they changed the parent page policy when the real blocker lived on the Redash server, or vice versa. ...

Jotform is one of those services that looks simple from the outside: paste an embed, publish the page, done. Then CSP blocks it. Usually the first breakage shows up as: the form iframe never loads custom scripts from Jotform get refused form submissions fail silently file uploads or payment widgets break the browser console fills with Refused to frame, Refused to connect, or Refused to load script If you’re embedding Jotform on a site with a real Content Security Policy, you need to explicitly allow the Jotform origins your embed uses. There isn’t a single universal one-liner that covers every Jotform feature, because the exact domains can vary by embed type, region, and enabled integrations. ...