<aside> ๐๐ผ
If you do not have CSPs configured, they do not interfere with botBrains. If you have some in place, you must make sure that you update them when integrating botBrains. CSPs require deep browser understanding and configuring a single character wrong can trip you up. We are here to help, reach out to [email protected] or via live chat on platform.botbrains.io.
</aside>
<aside> ๐ค
Weโre not perfect and you might encounter unexpected CSPs blocks in the browser console. Please report them to [email protected].
</aside>
This document serves as a comprehensive guide to the Content Security Policy (CSP) requirements for integrating with botBrains Chat Bubble service. It outlines the key endpoints we communicate with and the resulting necessary CSP configurations.
Content Security Policies (CSPs) are security measures implemented by web browsers to prevent various types of attacks, particularly cross-site scripting (XSS) and data injection attacks. They work by allowing servers serving websites to specify exactly which sources of content browsers should consider trustworthy and allow loading resources like scripts, stylesheets, images, fonts, and more from. CSPs are applied through HTTP response headers or HTML meta elements within web pages, creating a security layer that blocks potentially malicious content from executing.
Check if your server returns this header on the main html markdown document served.
Content-Security-Policy:
When integrating botBrains (via the HTML/JS snippet), your CSPs may block our functionality. Because we run in your domain context, strict CSPs can prevent script execution, API communications, or dynamic content generation. You must update your CSP directives to explicitly allow botBrains to operate correctly.
While we ensure that we bundle in our dependencies (vendor) them with version pinning, some libraries talk to their systems to load addtional features such as Session Replay on demand. To ensure proper functionality, your CSP must allow communication with the following endpoints:
https://api.botbrains.io - Primary API for backend communicationhttps://chat.botbrains.io - Used for chat functionality and script loadinghttps://*.botbrains-cdn.com - Used for assets loading and proxying 3rd party assetsdata:...ย - Used to load image and audio dataOur system may load images and URLs dynamically for link previews. While we plan to proxy the assets requests through our CDN, we currently load them directly from their respective sources. We are aware that this is also not perfect in terms of tracking prevention. Images from your allowed domains will work as expected, but some images may be blocked until we get to that on the roadmap.