A Content Security Policy (CSP) is a security mechanism that prevents web pages from accessing browser APIs and resources, reducing the risk of certain threats, such as cross-site scripting⁠(opens in a new tab or window).

Canva applies a Content Security Policy to the iframe that embeds an app's source code. This makes apps more secure, but:

The policy blocks some useful features.
When an app violates a policy, the app will break.

This page describes what the policy allows and how to troubleshoot violations.

What is (and isn't) allowed

Apps can:

Load audio, fonts, images, and videos from data URLs and HTTPS URLs.
Use inline CSS.

Apps can't:

Use frames, web workers, or other nested browsing contexts.
Load JavaScript from third-party sources.
Load CSS stylesheets.
Use the base element.
Use the form element's action attribute.

To handle form submissions in the app's iframe, attach an onSubmit handler to the form and use the preventDefault method to prevent the form's default behavior.

What directives does Canva use?

The behavior of a Content Security Policy is defined with one or more directives.

The app's iframe uses the following directives:

base-uri 'none';
child-src 'none';
connect-src https: data: wss: https://o13855.ingest.sentry.io https://telemetry.canva.com/v1/traces;
default-src 'none';
font-src  data: https: https://static.canva.com;
form-action 'none';
frame-ancestors https://.canva.com http://localhost:*;
frame-src 'none';
img-src data: https: blob: https://static.canva.com;
media-src  data: https: blob: https://static.canva.com;
object-src 'none';
script-src 'wasm-unsafe-eval'  https://thirdparty-public-apps.canva-apps-dev.com/XX/file.js https://static.canva.com 'nonce-XXXX';
style-src 'unsafe-inline' https://static.canva.com;
worker-src 'none';

How to troubleshoot violations

When an app violates the Content Security Policy, an error is logged to the JavaScript Console. You can use this error to identify which policy was violated and then figure out what needs fixing.