If you have defined a Content Security Policy (CSP) for your website, and you’ve also integrated the Liveperson Web Messaging and/or Chat experience on your website via the Web Tag, the CSP may need to be modified to allow certain critical LivePerson resources to be loaded by consumer browsers.
What is a CSP?: an added layer of security to restrict/specify the sources and type of content (scripts/styles/iframes/etc.) that can be loaded on the web page. It helps to mitigate certain types of attacks, including Cross-Site Scripting (XSS).
Recommended CSP
In order for LivePerson Web Messaging/Chat to function properly, it is highly recommended to:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser
- Since LivePerson Web Messaging/Chat application dynamically applies inline CSS and scripts, include the ‘unsafe-inline’ CSP directive to allow the inline content to execute
Directives
| CSP directive (content type) |
Wildcard domain (recommended) |
Specific domain example (VA) (subdomain may change slightly based on environment - i.e. 'va', 'lo') |
Description (best guess) |
|---|---|---|---|
| default-src | https://*.lpsnmedia.net | https://lpcdn.lpsnmedia.net | LivePerson media such as the engagement and messaging window icons/images and message alert sound |
| connect-src | wss://*.liveperson.net https://*.lpsnmedia.net |
wss://va.msg.liveperson.net https://lpcdn.lpsnmedia.net |
Web Socket connection to messaging system and requests for account configuration data |
| frame-src | https://*.lpsnmedia.net https://*.liveperson.net |
https://lpcdn.lpsnmedia.net https://va.idp.liveperson.net https://va.msg.liveperson.net https://va.msghist.liveperson.net https://va.tokenizer.liveperson.net |
Requests to identity provider (IDP), messaging system, secure forms, messaging history, etc. |
| img-src | https://*.lpsnmedia.net | https://lpcdn.lpsnmedia.net | LivePerson media such as the engagement and messaging window icons/images |
| script-src | unsafe-inline https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline https://lptag.liveperson.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' must also be added to allow inline scripts to run |
| style-src | unsafe-inline https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline https://lptag.liveperson.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' must also be added to allow inline CSS to run |
| media-src | https://*.lpsnmedia.net | https://lpcdn.lpsnmedia.net | LivePerson media such as the messaging window message alert sound |
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.lpsnmedia.net *.liveperson.net;
style-src 'self' 'unsafe-inline' *.lpsnmedia.net *.liveperson.net;
Strict CSP Mode
If you have defined a more stringent Content Security Policy (CSP) than what is recommended above (i.e. one that disallows unsafe inline styles and scripts from executing), then further account changes may be required to allow LivePerson Web Messaging to function properly.
In LivePerson Web Messaging, “Strict CSP Mode” can be enabled on your account to allow it to work with a CSP that disallows unsafe inline styles and scripts, albeit with some limitations.
How to enable:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser (same as in the recommended solution)
- Determine whether you need to utilize a nonce and strict-dynamic for scripts. If so, also implement the nonce when loading the Web Tag.
- To have Strict CSP Mode enabled for your account, contact LivePerson Technical Support (use the chat on this page, or message Support).
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' *.lpsnmedia.net *.liveperson.net;
style-src 'self' *.lpsnmedia.net *.liveperson.net;
Known limitations:
- Strict CSP Mode only supported in Web Messaging (not Chat)
- Messaging window animations are not supported in Strict CSP Mode
- Based on technical limitations, Strict CSP Mode may affect the performance of the web messaging window (e.g. loading/rendering speed)