REST API
Quickstart
Authentication
Rate-Limits
API Libraries
Reference
RTM API
Quickstart
Authentication
Reference
Web Hooks
Quickstart
Plugin Hooks
Website Hooks
Reference
Chatbox SDKs
Web Chat SDK
$crisp MethodsNPM PackageIdentity VerificationLanguage CustomizationCookie PoliciesSession Continuity
iOS Chat SDK
Android Chat SDK
React Native Chat SDK
Plugins
Quickstart
Submissions
Token Scopes
Examples
Settings
QuickstartExamples
Widgets
QuickstartGeneric WidgetiFrame WidgetWidget JS SDKData AccessExamplesReference
Marketplace
Messaging APIs
WhatsApp Business API
QuickstartConfiguration
Others
Whitelisting our Systems
Server User AgentsServer IP AddressesCrisp Domain Names
Security Practices
Others | Whitelisting our Systems
Give Feedback

Crisp Domain Names

Updated on December 23, 2024

In case your website requires strict CSP policies, you may allow the following domains.

Note that CSP stands for Content Security Policy. Some websites implement a CSP policy to restrict which domain names scripts on the website can access.
Service Full URL Required? Comments
JS, CSS, fonts, images, settings, Web Workers https://client.crisp.chat ⚠️ Required Chat will not work without it
WebSocket (messaging) wss://client.relay.crisp.chat ⚠️ Required Chat will not work without it
Avatars, images https://image.crisp.chat ⚠️ Required Chat will not work without it
File downloads & uploads https://storage.crisp.chat ⚠️ Required Required for accessing and sending files
Frames https://game.crisp.chat Optional Only if you enabled the wait game
WebSocket (calls, MagicBrowse) wss://stream.relay.crisp.chat Optional Only if you use MagicBrowse or calls
WebSocket (rescue mode) wss://client.relay.rescue.crisp.chat Optional Fallback if primary WebSocket servers are down (rare)

Chatbox CSP policy

Considerations

  • Chatbox customization features require some custom CSS to be inlined in your page, so that we can adjust the chatbox color to your settings. Make sure to include 'unsafe-inline' in your style-src CSP rule.
  • The Chatbox widget uses Web Workers to perform some on-demand short-lived background operations, such as "Are you a bot?" verifications whenever a message gets sent. Since it is currently not possible to load Web Workers in cross-domain environments, such Web Workers are fetched from a crisp.chat sub-domain and then executed in a local blob: URL. Make sure to include blob: in your worker-src CSP rule.
  • Some images are included as Base64 data URIs. It is therefore required to include data: in your img-src CSP rule.

Example

This is a sample CSP policy you can copy and paste in your website HTML. Make sure to adjust it to include all your other domains.

<meta
  http-equiv="Content-Security-Policy"
  content="img-src data: https://*.crisp.chat; font-src https://*.crisp.chat; media-src https://*.crisp.chat; style-src 'unsafe-inline' https://*.crisp.chat; frame-src https://*.crisp.chat; script-src https://*.crisp.chat; worker-src blob: https://*.crisp.chat; connect-src https://*.crisp.chat wss://*.relay.crisp.chat wss://*.relay.rescue.crisp.chat"
>

You may also define the same CSP policy as an HTTP header, using the Content-Security-Policy header.