Contact usRequest a demo

Content Security Policy (CSP) headers

Unblu comes with three predefined sets of directives for the Content Security Policy (CSP) HTTP response header of its various interfaces.

Activating Unblu CSP directives

By default, the Unblu CSP response headers are turned off. To use the Unblu CSP headers, set com.unblu.contentsecuritypolicy.mode to ON.

Activating CSP improves the security of Unblu by limiting access to resources that comply with the policies you specify. However, sometimes a policy may have unintended side-effects. It may block access to resources that are, in fact, required for your application to function correctly.

If you would first like to see whether activating the Unblu CSP headers results in problems, set com.unblu.contentsecuritypolicy.mode to REPORT_ONLY. Unblu then sends Content-Security-Policy-Report-Only headers rather than Content-Security-Policy headers. Violations of the CSP directives are displayed in the console of your browser’s developer tools, but the resource is still loaded. This way, you can verify that all the content security policy directives you have specified won’t block access to required resources.

The sets of CSP directives Unblu provides are:

  1. A set of directives for the Agent Desk, Visitor Desk, and Single Conversation Desk, conversation recording, and the whiteboard collaboration layer:

    Listing 1. Contents of the CSP response header for the agent and visitor user interfaces
    Content-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src wss: 'self' ws:; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self'; frame-src 'self' blob:; worker-src 'self' blob:

    If you use Unblu’s audio and video call features, the CSP response header also includes the domains of the call service provider that’s configured in com.unblu.conversation.call.callServiceProvider. The domains are added to the connect-src and script-src fetch directives.

  2. A set of directives for the Account Configuration interface, Global Server Configuration interface, Agent Desk login page, and mobile SDKs:

    Listing 2. Contents of the CSP response header for the configuration interfaces, Agent Desk login page, and mobile SDKs
    Content-Security-Policy: style-src 'unsafe-inline' 'self'; default-src 'none'; connect-src 'self' wss: ws:; img-src 'self' data:; media-src 'self'; font-src 'self' data:; script-src 'unsafe-inline' 'self'; frame-src 'none'; worker-src 'self' blob:
  3. A set of directives for the content of a visitor’s browser displayed to an agent in the Agent Desk during an embedded co-browsing session:

    Listing 3. Contents of the CSP response header for embedded content
    Content-Security-Policy: style-src 'unsafe-inline' 'self' *; default-src 'none'; img-src 'self' * data:; media-src 'self' *; font-src 'self' * data:; script-src 'unsafe-inline'; frame-src 'self' blob:
  4. A set of directives for any error pages Unblu might display:

    Listing 4. Contents of the CSP response header for error pages
    default-src 'none'; media-src 'self'; frame-src 'none'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'

    For the error pages that are displayed when a user impersonating another user tries to access a page they aren’t allowed to access, the CSP response header also includes the following fetch directives: +.Cotents of the CSP response header for impersonating user error pages

script-src 'self' 'unsafe-inline'; connect-src 'self'
  1. A set of directives for static content:

    Listing 5. Contents of the CSP response header for static content
    default-src 'none'; media-src 'self'; frame-src 'none'; font-src 'self' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; connect-src 'self' ws: wss:

The values ws: and wss: in the various headers are required by Apple Safari.

Modifying CSP header directives

The directives for embedded content include the * wildcard for CSS, fonts, images, and media. This is the default value of the configuration property com.unblu.contentsecuritypolicy.allowedDomainsForUiResources. If you wish to make the directive more restrictive, change the value of the property accordingly. For example, if static resources for your public website are retrieved from imgs.static.company.com and resources.company.com, you can make the CSP directive more restrictive by one of the following means:

The domains listed in the configuration property are added to the following fetch directives for embedded content:

  • media-src

  • font-src

  • img-src

  • style-src

Limitations

The Unblu CSP headers are always delivered as HTTP response headers. It isn’t possible to include them in a meta tag.

See also

For more information about the Content-Security-Policy HTTP response header, refer to the following resources: