SpryUI
Sign in Start free

Docs

Content Security Policies

Documentation

Content Security Policies

Which Content Security Policy directives SpryUI needs so the SDK, API, and message assets can load without surprises.

What to allow

Snippettext
SpryUI core CSP requirements:
- connect-src: required for SDK token/config/events requests
- style-src: inline styles are required today
- script-src: allow https://spryui.com when loading the hosted SDK from SpryUI
- img-src: add any domains used by your message images
- font-src: only needed if your host page loads external icon/font assets
  • connect-src covers the SDK token, config, and event requests.
  • script-src needs https://spryui.com when you load the hosted SDK from SpryUI instead of your own bundle.
  • img-src depends on the image origins you use in message content such as {{imageUrl}}.
  • font-src and extra style-src domains are only needed if your host page loads third-party icon or font libraries.

Same-origin install

If your site serves the SDK and the SDK API from the same origin, no extra domains are required beyond 'self'.

Minimal same-origin CSPtext
Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  connect-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;

This matches the SDK default apiBaseUrl of /api/sdk/v1.

SpryUI cloud API

If your site loads the hosted SDK and calls SpryUI directly, point apiBaseUrl at the SpryUI API and allow https://spryui.com in script-src and connect-src.

Direct cloud API examplets
import { initSpryUi } from "https://spryui.com/sdk/v1/index.mjs";

initSpryUi({
  publicKey: "pk_...",
  host: window.location.host,
  apiBaseUrl: "https://spryui.com/api/sdk/v1",
});
CSP when connect-src must reach SpryUItext
Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://spryui.com;
  connect-src 'self' https://spryui.com;
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;

Hosted SDK

Extra domains by delivery methodtext
Launch default:
- script-src: add https://spryui.com
- connect-src: add https://spryui.com

Future npm/CDN package delivery:
- script-src: add the package CDN origin you choose
- connect-src: add https://spryui.com
  • The launch-default hosted SDK requires https://spryui.com in script-src.
  • Direct SpryUI API calls require https://spryui.com in connect-src.

Strict CSP notes

Snippettext
Strict CSP note:
- SpryUI injects runtime <style> blocks and inline style attributes, so style-src must allow inline styles today.
- If you paste the SDK bootstrap inline in HTML, script-src also needs a nonce/hash or 'unsafe-inline'.
- The cleanest strict-CSP setup is:
  1. host your bootstrap code in an external JS file
  2. keep script-src free of 'unsafe-inline'
  3. still allow inline styles for SpryUI-rendered messages

SpryUI does not currently require extra frame-src or worker-src allowances. Only add external img-src, font-src, or extra style-src domains when your own message templates or host page depend on those origins.