In case your website requires strict CSP policies, you may allow the following domains.
Note that CSP stands for Content Security Policy. Some websites implement a CSP policy to restrict which domain names scripts on the website can access.
| Service | Full URL |
|---|---|
| JS, CSS, fonts, images, settings, Web Workers | https://client.crisp.chat |
| Avatars, images | https://image.crisp.chat |
| File downloads & uploads | https://storage.crisp.chat |
| Frames | https://game.crisp.chat |
| WebSocket (messaging) | wss://client.relay.crisp.chat |
| WebSocket (calls, MagicBrowse) | wss://stream.relay.crisp.chat |
Chatbox CSP policy
Considerations
- Chatbox customization features require some custom CSS to be inlined in your page, so that we can adjust the chatbox color to your settings. Make sure to include
'unsafe-inline'in yourstyle-srcCSP rule. - The Chatbox widget uses Web Workers to perform some on-demand short-lived background operations, such as "Are you a bot?" verifications whenever a message gets sent. Since it is currently not possible to load Web Workers in cross-domain environments, such Web Workers are fetched from a
crisp.chatsub-domain and then executed in a localblob:URL. Make sure to includeblob:in yourworker-srcCSP rule. - Some images are included as Base64 data URIs. It is therefore required to include
data:in yourimg-srcCSP rule.
Example
This is a sample CSP policy you can copy and paste in your website HTML. Make sure to adjust it to include all your other domains.
<meta
http-equiv="Content-Security-Policy"
content="img-src data: https://*.crisp.chat; font-src https://*.crisp.chat; media-src https://*.crisp.chat; style-src 'unsafe-inline' https://*.crisp.chat; frame-src https://*.crisp.chat; script-src https://*.crisp.chat; worker-src blob: https://*.crisp.chat; connect-src https://*.crisp.chat wss://*.relay.crisp.chat"
>You may also define the same CSP policy as an HTTP header, using the Content-Security-Policy header.