Urgent: Plasmic Studio CSP blocks a.plasmic.app scripts (cannot publish)

Issues
1

What are you trying to do?

  • Publish urgent changes and continue editing in Plasmic Studio.
  • Normal Studio usage suddenly started failing due to CSP blocking scripts loaded from a.plasmic.app.
  • This isn’t related to our project code; it appears to be a Studio CSP regression.

Reproduction steps

  • Open Plasmic Studio.
  • Observe the browser console. Multiple scripts from https://a.plasmic.app are blocked by CSP.
  • Tried:
    • Hard refresh
    • Incognito/private browsing
    • Different browsers (Chrome, Safari)
    • Different devices/network
  • Issue persists; Studio does not load ancillary scripts and shows “sentry dep missing” errors.

Console errors (examples)

Refused to load the script 'https://a.plasmic.app/static/dead-clicks-autocapture.js?v=1.258.6' because it violates the following Content Security Policy directive:
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://studio.plasmic.app https://js.stripe.com https://cdn.segment.com https://cdn.amplitude.com https://www.google-analytics.com https://www.googletagmanager.com https://*.posthog.com".

Refused to load the script 'https://a.plasmic.app/array/phc_.../config.js' because it violates the following Content Security Policy directive: "script-src ...".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

C: Value must not be undefined or null - sentry dep missing

Expected behavior

  • Studio should load without CSP violations and allow me to publish/edit as usual.

Actual behavior

  • Scripts hosted on a.plasmic.app are blocked by Studio’s CSP (served from studio.plasmic.app), causing parts of Studio to fail.
  • This appears to be a configuration/deploy regression: Studio’s CSP doesn’t include a.plasmic.app in script-src (and possibly script-src-elem).

Impact

  • Blocking urgent publish/edit work. Time-sensitive.

Environment

  • Browsers: Chrome (latest), Safari (latest)
  • Mode: Normal, Incognito/Private
  • OS: macOS
  • Time window: ongoing as of now

Relevant links

  • Project: Plasmic
  • Example page I was on when errors occurred:
    Plasmic

Request

  • Please update Studio’s CSP to allow https://a.plasmic.app for scripts (and consider script-src-elem if applicable).
  • If there’s a temporary workaround we can use safely (e.g., different Studio URL or feature flag), please share.
  • An ETA for the fix would be greatly appreciated, as this is blocking an urgent publish.

Thank you for the help!

1 Like
2

Hi @arturo_rabago !
Thanks for reporting, we already addressed the issue, studio should be functioning in a normal mode now.

3

Thank you guys

1 Like