Content Security Policy (CSP) support
Content Security Policy (CSP) support
Recommended setup
The Web Widget supports websites which use a Content Security Policy (CSP) and follows Google'sstrict CSP guidelines. We recommend following Google's policy for the best support and easiest setup with the widget.
当following these guidelines, add thenonce
attribute to the Web Widget snippet.
<script
nonce="{random}"
id="ze-snippet"
src="https://static.zdassets.com/ekr/snippet.js?key=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
>script>
This{random}
value must be a unique cryptographic number that is generated by the server each time the CSP is transmitted.
Note: This security policy works with the messenger version of the Zendesk Web Widget snippet. Ensure that your snippet aligns with the example above.
Custom setup (using other CSP directives)
We cannot guarantee that the Web Widget won't violate a custom CSP that does not follow Google'sguidelines. However, if you add the following directives, it should prevent the widget causing violations:
default-src'self'
https://static.zdassets.com
https://ekr.zdassets.com
https://ekr.亚博.com
https://{zendeskSubdomain}.亚博.com
https://api.smooch.io
https://media.smooch.io
https://亚博-eu.my.sentry.io
https://sdk.twilio.com
https://eventgw.*.twilio.com
wss://{zendeskSubdomain}.亚博.com
wss://api.smooch.io
wss://voice-js.roaming.twilio.com;
style-src'unsafe-inline';
img-src'self'
https://static.zdassets.com
https://accounts.亚博.com
https://{zendeskSubdomain}.亚博.com
https://media.smooch.io
https://*.zdusercontent.com
blob:
data:;
If you have custom directives specified such asscript-src
orconnect-src
, add the hosts specified indefault-src
above.