Hello, This is a request to streamline (like limit to 1 or 1 per source) urls to allowlist in csp policies. I also logged this as a support case with the following info: HS customers do not only embed HS, but also other services, like Stripe, Sentry, Google tag manager etc. If each of those comes with 20 url's that have to be allowlisted in different 'src' csp headers it's ending up to be a complete unmaintainable mess. In the end that is a security issue. What if at some point HS abandons one of those dns'es and this is picked up by a malicious organisation? Do you expect all customers will automatically and constantly watch all csp requirements from all embedded platforms and update their settings accordingly? Best, Peter
... Afficher plus