CSP for Third Party Scripts: The Practical Cheat Sheet for GA, Stripe, Intercom, and More

You ship a Content Security Policy. It works locally. Then marketing adds Google Tag Manager, payments goes live with Stripe, support turns on Intercom, and suddenly the browser console is screaming about violations and half your integrations are dead. This is the number one reason CSP deployments fail in production. Not because the concept is hard, but because every third party service loads scripts from a different set of domains, and none of them make it easy to find. This post is a working