When a script needs a library — GSAP, Swiper, a date picker — add it as a dependency instead of pasting another embed into Webflow. Cairn loads dependencies before your script runs.
Adding a library
Open Dependencies from the script editor and paste either a full <script> tag or a bare CDN URL. Cairn extracts the URL and asks for:
- Name — a label, just for you (e.g.
GSAP).
- Global — optional: the global variable the library exposes (e.g.
gsap). Recording it documents what your script can rely on once the dependency has loaded.
The CDN allowlist
Dependency URLs must be https and hosted on a trusted CDN. Cairn currently allows (including subdomains):
| Host | Typical use |
|---|
jsdelivr.net | npm & GitHub packages |
unpkg.com | npm packages |
esm.sh | npm packages as ES modules |
cdnjs.cloudflare.com | popular libraries |
skypack.dev | npm packages as ES modules |
jspm.io | npm packages as ES modules |
code.jquery.com | jQuery |
fonts.googleapis.com / fonts.gstatic.com | Google Fonts |
ajax.googleapis.com | Google-hosted libraries |
Pin dependency versions in the URL (/gsap@3.12.5/) rather than using
@latest or an unversioned path. Unpinned URLs can change behavior on your
live site without any publish from you.
Imports inside your code
The allowlist applies to the structured dependency list. import statements inside your own script content are not blocked — it’s your code on your site — but the editor warns when a runtime import is untrusted (host not on the allowlist) or unpinned (no version). See ES modules. 
