Content Security Policy (CSP) Guide for Live chat Integration
Updated
When integrating the Sprinklr Live Chat widget on a website that employs a predefined Content Security Policy (CSP), you may need to modify the CSP settings to ensure that Live Chat resources load properly. This guide outlines the steps required to whitelist our domain and other relevant URLs for seamless integration.
What is CSP?
Content Security Policy (CSP) is a security feature designed to safeguard your website from various types of attacks, such as cross-site scripting (XSS) and data injection attacks, by regulating the sources from which content can be loaded. For more in-depth information, refer to the Mozilla Developer Network's CSP documentation.
Why Whitelist Sprinklr?
Whitelisting the Sprinklr domain is essential for the effective functioning of our live chat on your website. By doing so, you ensure that all content from Sprinklr is deemed safe and can be loaded without complications. Here are some key reasons to whitelist our entire domain, including all subdomains:
Uninterrupted Service: Whitelisting all subdomains with a wildcard entry (*.sprinklr.com) ensures uninterrupted service, even when we make internal changes to our subdomains due to infrastructure updates.
Clutter-Free HTML: This approach keeps your HTML code cleaner and more manageable, eliminating the risk of missing URLs that could disrupt functionality.
Reduced Maintenance: By avoiding the need for frequent updates as new features are rolled out, whitelisting simplifies the maintenance of your CSP settings.
How to Whitelist Sprinklr Domains
To properly configure your CSP, several headers govern different types of content. Below is a summary of the directives, their descriptions, and the specific domains you need to whitelist for optimal operation of the Sprinklr Live Chat widget:
script-src: Controls the sources from which JavaScript can be loaded. Include nonce-xxx and strict-dynamic value in you csp values.
style-src: Governs the sources for stylesheets. Include nonce-xxx or unsafe-inline value in your csp values.
connect-src: Manages the sources for fetching data, such as API calls. Whitelist *.sprinklr.com to enable all necessary connections.
img-src: Dictates where images can be loaded from. Adding *.sprinklr.com ensures that all images used by the chat widget can be displayed.
frame-src: If applicable, this directive controls which domains can be embedded within frames. Make sure to include *.sprinklr.com if our services require framing.
Directive | Description | Domain |
script-src | Ensures the execution of necessary scripts for loading the Sprinklr Live Chat Application. |
|
img-src | Allows loading of Sprinklr assets. It controls which URLs the browser can load images from. |
|
connect-src | Facilitates establishing a WebSocket connection to our messaging system and requesting data. |
|
font-src | Grants access to Sprinklr typography in the live chat UI. |
|
style-src | Allows the execution of inline CSS code. |
|
frame-src | Facilitates video calling. |
|
media-src | Allows loading of Sprinklr Audio or Video files. It controls which URLs the browser can load media files from. |
|
As an alternative, you can use the default-src directive to reduce the need to define all the above directives independently.
Note: For Azure environments, you need to whitelist https://<env>sprlivechatsecure.blob.core.windows.net/ and https://<env's abbreviation like p2 for prod2>blobstore.blob.core.windows.net to allow the opening of Sprinklr assets and attachments. Replace <env> with the respective environment, like for prod2, URLs would be https://prod2sprlivechatsecure.blob.core.windows.net/ & https://p2blobstore.blob.core.windows.net.
For AWS environments, you need to whitelist https://s3.amazonaws.com
For GCP environments, you need to whitelist https://storage.googleapis.com
Note: Pass the nonce value into the live chat embedded script while injecting it into the website to ensure the live chat script loads correctly. Internally, all scripts will automatically apply the correct nonce value.
Whitelisting for Video Call Services
If you have Video Call services enabled in your live chat, additional domains related to the video call service provider (AWS or Zoom) should be whitelisted.
AWS Chime SDK
If you use AWS Chime SDK for video calling, please whitelist the domains below.
Service | URL |
Whitelisting Domains |
|
IP Address range | 99.77.128.0/18 |
Port |
|
When configuring your network, you must also enable Extension Mechanisms for DNS (EDNS0) by default. This ensures your application can reach the Amazon Chime SDK services by correctly sizing host information for UDP packets.
Zoom SDK
If you use Zoom SDK for video calling, please whitelist the domains below.
Service | Details |
Zoom |
|
By following this guide and updating your CSP policy, you can achieve a seamless and secure integration of our web chat services on your website.
Note: In certain environments, particularly those using corporate VPNs, firewalls, or strict network policies, users may encounter connectivity issues with video call services, even if the necessary domains are included in CSP directives.
To help ensure stable connectivity:
Confirm that your network or VPN permits traffic to the domains, ports, and protocols required by your video call provider.
Check that DNS resolution is not being blocked or modified by security software or filtering tools.
If problems continue, we recommend reaching out to your IT or network team to investigate any firewall or proxy settings that could be limiting access.