Hi,
We’re setting up the calendly integration but are surprised to see that it doesn’t work without greatly relaxing the Content-Security-Policy in use in our app: in order to work, calendly requires the ‘unsafe-inline' and ‘unsafe-eval’ on both the script-src and style-src fetch directives. This is making us more exposed to CSRF and XSS attacks.
So my question is: are you aware of this, and are you planning to update your JS code?
Thanks
Hi,
We’re setting up the calendly integration but are surprised to see that it doesn’t work without greatly relaxing the Content-Security-Policy in use in our app: in order to work, calendly requires the ‘unsafe-inline' and ‘unsafe-eval’ on both the script-src and style-src fetch directives. This is making us more exposed to CSRF and XSS attacks.
So my question is: are you aware of this, and are you planning to update your JS code?
Thanks
+ 1 we also have this issue.
We value the functionality that Calendly provides and hope to continue using it without compromising our application's security. Your prompt response and any guidance on how to proceed securely would be greatly appreciated.
Thank you for your attention to this matter.
Best regards
Great then, if no one at calendly cares about the security of their users, we’ll start looking for another solution for replacing it 
Hey
There are a few different approaches to instead of using the unsafe-* directives:
Here are few resources:
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.