Content Security Policy (CSP) Guide for Live chat Integration
Updated
When integrating Sprinklr Live Chat widget on a website with a predefined CSP, modifications to the CSP may be required to ensure the proper loading of Live Chat resources. This guide provides the necessary steps to whitelist our domain and other relevant URLs.
What is CSP?
Content Security Policy (CSP) is a security feature that helps protect your website from attacks by controlling where content can be loaded from. For more details, check out the Mozilla Developer Network's CSP documentation.
Why Whitelist Sprinklr?
To utilize our live chat on your website, it's crucial to whitelist the Sprinklr domain. This ensures that all content from Sprinklr is recognized as safe and can be loaded without issues. We recommend whitelisting all our subdomains by using *.sprinklr.com, here’s why:
Ensures uninterrupted service when we change our internal subdomains due to infrastructural changes.
Keeps your HTML uncluttered and prevents missing URLs.
Avoids the need for frequent updates as we introduce new features.
How to Whitelist Sprinklr Domains
Under the CSP policy, several headers control different types of content. Below is a breakdown of the directives, their descriptions, and the corresponding domains you need to whitelist:
Directive | Description | Domain |
script-src | Ensures the execution of necessary scripts for loading Sprinklr live chat application |
|
img-src | Allows loading of Sprinklr assets. It controls which URLs the browser can load images from. |
|
connect-src | Facilitates establishing a WebSocket connection to our messaging system and requesting data |
|
font-src | Grants access to Sprinklr typography in the live chat UI |
|
style-src | Allows the execution of inline CSS code. |
|
As an alternative, you can use default-src directive to reduce defining all the above directives independently.
Note: For Azure environments, need to whitelist https://<env>sprlivechatsecure.blob.core.windows.net/ and https://<env's abbrevation like p2 for prod2>blobstore.blob.core.windows.net to allow opening of sprinklr assets and attachments.
Replace <env> with respective environment like for prod2, URLs would be https://prod2sprlivechatsecure.blob.core.windows.net/ & https://p2blobstore.blob.core.windows.net.
Note: To avoid using unsafe-inline for script-src, it is recommended to include data-spr-nonce to scripts within the document embedding the live chat widget. This ensures enhanced security by applying a nonce to inline scripts, mitigating the risk associated with inline script execution.
Whitelisting for Video Call Services
If you have Video Call services enabled in your live chat, additional domains related to the video call service provider (AWS or Zoom) should be whitelisted.
AWS Chime SDK
If you use AWS Chime SDK for video calling, please whitelist the below domains.
Service | URL |
Whitelisting Domains |
|
IP Address range | 99.77.128.0/18 |
Port | TCP:443 UDP:3478 |
When configuring your network, you must also enable Extension Mechanisms for DNS (EDNS0) by default. This ensures your application can reach the Amazon Chime SDK services by correctly sizing host information for UDP packets.
Zoom SDK
If you use Zoom SDK for video calling, please whitelist the below domains.
Service | Details |
Zoom |
|
By following this guide and updating your CSP policy, you can ensure a smooth and secure integration of our webchat services on your website.