When using Sleeknote on your website and also using a CSP, it's important to ensure that your CSP allows Sleeknote to function properly.
CSP is a security mechanism that allows website owners to specify which resources (such as scripts, fonts, images, and frames) are allowed to be loaded on their site. By default, CSP blocks all resources that are not explicitly allowed in the policy. If Sleeknote is not whitelisted in your CSP, it may not work correctly, or it may not load at all.
To whitelist Sleeknote in your CSP, follow the steps below:
- First - we strongly recommend to trust *.sleeknote.com
Before you start specifying individual resources in your CSP, we strongly recommend that you trust the entire Sleeknote domain by adding the following to your CSP:
default-src 'self' *.sleeknote.com;
This will allow Sleeknote to load all the resources it needs, regardless of the specific subdomains it uses. It's important to note that Sleeknote reserves the right to use or cancel any subdomain it wishes, so by nitpicking exact subdomains into CSP configurations, you may experience service breakages as Sleeknote deploys and develops new versions of its software.
- If you want stricter restrictions, specify these resources for Sleeknote to load.
Sleeknote needs to load several types of resources to function properly. Here are the specific CSP directives you should use to allow Sleeknote to load these resources:
<link> elements with data URIs:
To fetch resources:
fetch() API to load additional resources (such as HTML, images, and CSS files), and caches them using the Cache API. It also uses Cloudflare to serve Twitter Emoji and gets some fonts CSS from Google.
To load fonts:
To load images:
Sleeknote converts loaded images into blobs and creates object URLs. Therefore, data: image sources need to be allowed. Not all images are converted this way and not all the time. Plus, Sleeknote uses a tracking pixel for analytics.
To post data to various integration endpoints:
frame-src mailchimp.sleeknote.com agillic.sleeknote.com campaignmonitor.sleeknote.com emarsys.sleeknote.com segment.sleeknote.com activecampaign.sleeknote.com integrationssite.sleeknote.com klaviyo.sleeknote.com dotdigital.sleeknote.com salesforce.sleeknote.com drip.sleeknote.com onsite-subscribe.getdrip.com smartweb.sleeknote.com apsis.sleeknote.com apsisone.sleeknote.com heyloyalty.sleeknote.com peytz.sleeknote.com ubivox.sleeknote.com mailplatform.sleeknote.com zapier.sleeknote.com onsite-subscribe.getdrip.com contactform.sleeknote.com subscribe.sleeknote.com