CSP for Mailchimp Signup Forms: A Real-World Fix
I’ve seen this one more than once: a team adds a Mailchimp signup form late in the launch cycle, everything works in staging, then production CSP blocks half of it. The usual reaction is predictable: someone pastes *.mailchimp.com into default-src, sprinkles in 'unsafe-inline', and calls it done. The form works, but the policy gets weaker, noisier, and harder to maintain. A better approach is to treat Mailchimp like any other third-party integration: measure what it actually needs, scope directives tightly, and avoid opening the whole page just to get one form working. ...