Open source platform for stress free deployments, measured impact, and smarter decisions.

GrowthBook Users

:wave: Hola Growthbook team! We are testing the <https://docs.growthbook.io/app/visual|Visual Editor> and we had some problems setting it up. They were all about <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP|CSP rules>, I’m posting the rules we had to include here just so that you are aware other people might trip on them:

• We needed to allow <http://cdn.growthbook.io|cdn.growthbook.io> to the `script-src` policy (this one is duh :sweat_smile:).
• We needed to allow <http://unpkg.com|unpkg.com> to the `script-src` policy (there is only one script served from there: `ab-designer@0.6.0` ). This one is tricky, and I’d expect people not wanting to add a global CDN to their allow list as that’d render the policy useless. This is a blocker on our end. No idea what the best solution for this would be but I’d personally recommend hosting this script in your own domain if possible.
• We needed to include a `frame-ancestors` policy to allow <http://app.growthbook.io|app.growthbook.io> to embed an iframe pointing to our site. This one is pretty obvious but I was surprised not to see any reference to it in the docs.
I hope this helps improving this new feature and I’m happy to share any other details you might need to trace these problems down