Method 1: SDK + iFrame (Recommended)
When using the Reach SDK with an iframe:- You load the SDK script from
https://cdn.embedreach.com - The SDK automatically creates an iframe from the same CDN
Method 2: React Components (via npm package)
When using Reach React components from npm:- Components render directly in your page (no iframe)
- No external script loading needed
- API calls go to
https://api.embedreach.com
Method 3: Attribution Snippet Only
When using only the attribution snippet on public pages:- Loads from
https://public.embedreach.com - Makes API calls to
https://api.embedreach.com
Quick Reference
| Integration Method | CSP Directives Needed |
|---|---|
| SDK + iFrame | script-src 'self' https://cdn.embedreach.com; + frame-src 'self' https://cdn.embedreach.com; |
| React Components | connect-src 'self' https://api.embedreach.com https://app.posthog.com https://app.launchdarkly.com; |
| Attribution Snippet | script-src 'self' https://public.embedreach.com; + connect-src 'self' https://api.embedreach.com; |
Common Issues & Solutions
CSP Violations
- Error: “Refused to load the script from ‘https://cdn.embedreach.com’ because it violates the following Content Security Policy directive”
- Fix: Add
https://cdn.embedreach.comto yourscript-srcdirective
OAuth Popups Blocked
If you’re using COOP headers and OAuth flows fail: Add to your COOP policy:Verification Steps
- Open browser DevTools → Network tab
- Load your page with Reach embedded
- Verify these network requests succeed:
sdk.es.jsfromhttps://cdn.embedreach.com(SDK method)- API calls to
https://api.embedreach.com(all methods)
- Check Console tab - no CSP violation errors should appear
Need Help?
If you’re still seeing issues after following these steps, contact us atsupport@embedreach.com with:
- Your current CSP header value
- Screenshots of browser console errors
- Which integration method you’re using