Content Security Policy
A Content Security Policy (CSP) is a security mechanism that prevents web pages from accessing certain browser APIs and resources, reducing the risk of various threats, such as cross-site scripting and clickjacking.
Canva applies a Content Security Policy to the iframe that embeds an app's source code. This makes apps more secure but has some implications that are important to be aware of:
- The policy blocks some useful features
- When an app violates a policy, the app will break
This page describes what the policy allows, what the policy doesn't allow, and how to troubleshoot violations.
What is (and isn't) allowed
- Load font files as data URLs or via HTTPS URLs
- Load image files as data URLs or via HTTPS URLs
- Load audio files as data URLs or via HTTPS URLs
- Load video files as data URLs or via HTTPS URLs
- Use inline CSS
- Use frames, web workers, or other nested browsing contexts
- Load CSS stylesheets
- Use the
- Use the
What directives does Canva use?
The behavior of a Content Security Policy is defined with one or more directives.
To view the complete list of directives that Canva uses:
Visit the following URL, replacing
<app-id>with the ID of an app:https://app-<app-id>.canva-apps.com/canva-api/templates/v1/api_next.html
Right click on the page.
Select View Page Source.
The directives are defined in a