Accepted Frameworks and CDNs
A page is one self-contained HTML file. You can pull CSS and JavaScript from the hosts below; anything else is removed when the page is published, and blocked again in the browser by the page's Content-Security-Policy. This list is generated from rendrd's live policy at rendrd.io/allowed.json, so it is always current.
Scripts
<script src> may load from:
cdn.jsdelivr.netcdnjs.cloudflare.comunpkg.comcdn.tailwindcss.comesm.sh
That covers Chart.js, D3, Alpine and most libraries on jsDelivr, cdnjs and unpkg, the Tailwind Play CDN, and ES modules from esm.sh. Inline <script> runs as written.
Styles and fonts
Stylesheets (<link rel="stylesheet">) may load from:
cdn.jsdelivr.netcdnjs.cloudflare.comfonts.googleapis.com
Web fonts may load from:
fonts.gstatic.comcdn.jsdelivr.net
Inline <style> works. Google Fonts works through fonts.googleapis.com and fonts.gstatic.com.
Images
Any https/http host, plus data: and blob: URIs.
Video embeds
<iframe> is allowed only to embed video from these platforms (they moderate their own content). Other iframes, and <object>/<embed>, are removed:
youtube.comyoutube-nocookie.comvimeo.comloom.comwistia.netwistia.comdailymotion.complayer.twitch.tv
Forms
rendrd has no form backend. A form may post to a form-to-email service:
formsubmit.coapi.web3forms.comformspree.io
See Forms without a backend for a worked example.
What is not allowed
- Runtime network calls (
fetch,XMLHttpRequest, WebSocket) are blocked (connect-src 'none'). A page that loads data at runtime will not work; bake the data into the HTML instead. - Scripts and styles from other hosts are stripped at publish.
- Sensitive form fields (payment cards, CVV, bank/IBAN, national IDs, passwords, crypto keys) are removed at publish.
object,embed, event-handler attributes (onclick, ...), andjavascript:URLs are removed.
Adding a library that is missing
If a CDN you need is not on the list, email support [at] rendrd [dot] io. We add reputable, version-pinned CDNs after a security check.