Skip to main content
A Content Security Policy (CSP) is a browser security feature that limits which domains a page may load scripts, styles, images, and network requests from. It helps protect against cross-site scripting (XSS) attacks. If your site sends a CSP header and does not allowlist Sleekplan, the browser will block the widget and you may see console errors like Refused to load the script. To let the widget work, add the Sleekplan domains below to the matching directives in your policy.
This only applies if your site actively enforces a CSP (a Content-Security-Policy header or <meta http-equiv="Content-Security-Policy"> tag). Most sites do not, and the widget works without any changes. If you are unsure, you probably do not have one.

Required directives

Add these sources to your existing policy. If you do not already declare a given directive, you only need to add it if your policy sets a restrictive default-src.
DirectiveSources to allow
script-src'unsafe-inline' blob: https://client.sleekplan.com https://api-client.sleekplan.com https://storage.sleekplan.com
style-src'unsafe-inline' https://client.sleekplan.com https://storage.sleekplan.com
connect-srchttps://api-client.sleekplan.com https://ingest.sleekplan.com https://storage.sleekplan.com
img-srcblob: data: https://client.sleekplan.com https://storage.sleekplan.com
font-srchttps://storage.sleekplan.com
frame-src'self'

Example policy

A complete Content-Security-Policy header that allows the widget looks like this (combine it with your own existing sources):
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' blob: https://client.sleekplan.com https://api-client.sleekplan.com https://storage.sleekplan.com;
  style-src 'self' 'unsafe-inline' https://client.sleekplan.com https://storage.sleekplan.com;
  connect-src 'self' https://api-client.sleekplan.com https://ingest.sleekplan.com https://storage.sleekplan.com;
  img-src 'self' blob: data: https://client.sleekplan.com https://storage.sleekplan.com;
  font-src 'self' https://storage.sleekplan.com;
  frame-src 'self';
The widget requires 'unsafe-inline' for script-src and style-src, so it does not yet support a strict, nonce-based CSP Level 3 policy. If your security requirements mandate a strict CSP, contact support so we can advise on your setup.

Standalone portal on a custom domain

If you host your feedback portal on your own domain instead of embedding the widget, the CSP is served by Sleekplan and you can extend it from the portal settings. That is a separate flow: see Add custom CSP rules.

Next steps

Back to install overview

The snippet, user identification, and other platforms.

Custom domain

Host your feedback portal on your own subdomain.