To activate Sided on your site, add the following javascript to the <head> tag of your website for any pages where you'd like polls to render.
<script type="module" src="https://embed-v2.sided.co/assets/index.js"></script>
Once this code is active, you may add any poll embed or placement code to the page and the poll should render.
Content Security Policy (CSP) Integration Guide
To securely embed Sided polls and discussions on a site that uses Content Security Policy (CSP), you must explicitly allowlist our script and asset domains.
This ensures the widget loads and functions properly without compromising your site's security posture.
Required CSP Directives
Please add the following directives to your CSP header or meta tag:
Content-Security-Policy: script-src 'self' https://embed-v2.sided.co https://cdn.sided.co; style-src 'self' https://cdn.sided.co 'unsafe-inline'; connect-src https://api.sided.co https://www.gstatic.com; img-src 'self' data: https://cdn.sided.co;
Directive Breakdown
Directive | Purpose |
---|---|
script-src | Allows loading the Sided embed code and module chunks |
style-src | Allows Sided styles to load (fonts, widget layout, etc.) |
connect-src | Enables API calls to api.sided.co and Firebase (for analytics) |
img-src | Allows avatars or content images from cdn.sided.co |
Notes
Sided’s new embed uses ES modules, which require explicit domain allowlisting (
type="module"
will not load if blocked).If your policy is nonce-based, we can provide a special embed version that accepts a dynamic CSP nonce.
We do not require
unsafe-eval
orunsafe-inline
for scripts — only styles may currently require'unsafe-inline'
.
Domains to Allow
Make sure the following domains are allowlisted in your CSP:
Domain | Reason |
---|---|
https://embed-v2.sided.co | Main ES module loader |
https://cdn.sided.co | Widget CSS, fallback assets |
https://api.sided.co | Backend for polls, analytics |
https://www.gstatic.com | Firebase analytics (optional) |
Example CSP Meta Tag (for HTML)
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://embed-v2.sided.co https://cdn.sided.co; style-src 'self' https://cdn.sided.co 'unsafe-inline'; connect-src https://api.sided.co https://www.gstatic.com; img-src 'self' data: https://cdn.sided.co;">
Need Help?
If you use a strict or advanced CSP setup (e.g. nonce-based), contact us at dev@sided.co and we’ll provide a custom integration or nonce-compatible loader.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article