If you have defined a Content Security Policy (CSP) for your website, and you’ve also integrated the Liveperson Web Messaging and/or Chat experience on your website via the Web Tag, the CSP may need to be modified to allow certain critical LivePerson resources to be loaded by consumer browsers.
What is a CSP?: an added layer of security to restrict/specify the sources and type of content (scripts/styles/iframes/etc.) that can be loaded on the web page. It helps to mitigate certain types of attacks, including Cross-Site Scripting (XSS).
Recommended CSP
In order for LivePerson Web Messaging/Chat to function properly, it is highly recommended to:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser
- Since LivePerson Web Messaging/Chat application dynamically applies inline CSS and scripts, include the ‘unsafe-inline’ and ‘unsafe-eval’ CSP directives to allow the inline content to execute
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.lpsnmedia.net *.liveperson.net;
style-src 'self' 'unsafe-inline' *.lpsnmedia.net *.liveperson.net;
Details
CSP directive (content type) |
Wildcard domain(s) (recommended) |
Explicit domain(s) (environment-based) |
Description |
---|---|---|---|
default-src | https://*.lpsnmedia.net | https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the engagement and messaging window icons/images and message alert sound |
connect-src | wss://*.liveperson.net https://*.liveperson.net https://*.lpsnmedia.net |
wss://va.msg.liveperson.net https://cdn.lpsnmedia.net https://accdn.liveperson.net https://lpcdn.lpsnmedia.net |
Web Socket connection to messaging system and requests for account configuration data |
frame-src | https://*.lpsnmedia.net https://*.liveperson.net |
https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.idp.liveperson.net https://va.msg.liveperson.net https://va.msghist.liveperson.net https://va.tokenizer.liveperson.net |
Requests to identity provider (IDP), messaging system, secure forms, messaging history, etc. |
img-src | data: https://*.lpsnmedia.net |
data: https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the engagement and messaging window icons/images |
media-src | blob: https://*.lpsnmedia.net |
blob: https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the messaging window message alert sound |
script-src | unsafe-inline unsafe-eval https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline unsafe-eval https://lptag.liveperson.net https://cdn.lpsnmedia.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' and 'unsafe-eval' must also be added to allow inline scripts to run |
style-src | unsafe-inline https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline https://lptag.liveperson.net https://cdn.lpsnmedia.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' must also be added to allow inline CSS to run |
If using explicit domains in your CSP instead of wildcard domains ('*'), then keep in mind that the subdomain of a given domain above may change slightly based on your account's LivePerson region/environment (i.e. 'va', 'lo'). Please contact LivePerson Technical Support if assistance is required (use the chat on this page, or message Support).
Using a 'nonce' and 'strict-dynamic'
Using a nonce and strict-dynamic in your CSP for scripts (script-src directive) is not recommended, but may be supported in certain situations. If desired, you must also implement the nonce when loading the Web Tag.
Strict CSP Mode
If you have defined a more stringent Content Security Policy (CSP) than what is recommended above (i.e. one that disallows unsafe inline styles and scripts from executing), then further account changes may be required to allow LivePerson Web Messaging to function properly.
In LivePerson Web Messaging, “Strict CSP Mode” can be enabled on your account to allow it to work with a CSP that disallows unsafe inline styles and scripts, albeit with some limitations.
How to enable:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser (same as in the recommended solution)
- Determine whether you need to utilize a nonce and strict-dynamic for scripts. If so, you must also implement the nonce when loading the Web Tag.
- To have Strict CSP Mode enabled for your account, contact LivePerson Technical Support (use the chat on this page, or message Support).
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' *.lpsnmedia.net *.liveperson.net;
style-src 'self' *.lpsnmedia.net *.liveperson.net;
Strict CSP Mode known limitations:
- Strict CSP Mode only supported in Web Messaging (not Chat)
- Messaging window animations are not supported in Strict CSP Mode
- Based on technical limitations, Strict CSP Mode may affect the performance of the web messaging window (e.g. loading/rendering speed)