👋 Hola Growthbook team! We are testing the Visual Editor and we had some problems setting it up. They were all about CSP rules, I’m posting the rules we had to include here just so that you are aware other people might trip on them: • We needed to allow cdn.growthbook.io to the

script-src

policy (this one is duh 😅). • We needed to allow unpkg.com to the

script-src

policy (there is only one script served from there:

ab-designer@0.6.0

). This one is tricky, and I’d expect people not wanting to add a global CDN to their allow list as that’d render the policy useless. This is a blocker on our end. No idea what the best solution for this would be but I’d personally recommend hosting this script in your own domain if possible. • We needed to include a

frame-ancestors

policy to allow app.growthbook.io to embed an iframe pointing to our site. This one is pretty obvious but I was surprised not to see any reference to it in the docs. I hope this helps improving this new feature and I’m happy to share any other details you might need to trace these problems down