If you have defined a Content Security Policy (CSP) for your website, and you’ve also integrated the Liveperson Web Messaging and/or Chat experience on your website via the Web Tag, the CSP may need to be modified to allow certain critical LivePerson resources to be loaded by consumer browsers.
What is a CSP?: an added layer of security to restrict/specify the sources and type of content (scripts/styles/iframes/etc.) that can be loaded on the web page. It helps to mitigate certain types of attacks, including Cross-Site Scripting (XSS).
Recommended CSP
In order for LivePerson Web Messaging/Chat to function properly, it is highly recommended to:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser
- Since LivePerson Web Messaging/Chat application dynamically applies inline CSS and scripts, include the ‘unsafe-inline’ and ‘unsafe-eval’ CSP directives to allow the inline content to execute
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' wss://*.liveperson.net *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.lpsnmedia.net *.liveperson.net;
style-src 'self' 'unsafe-inline' *.lpsnmedia.net *.liveperson.net;
Details
| CSP directive (content type) |
Wildcard domain(s) (recommended) |
Explicit domain(s) (environment-based) |
Description |
|---|---|---|---|
| default-src | https://*.lpsnmedia.net | https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the engagement and messaging window icons/images and message alert sound |
| connect-src | wss://*.liveperson.net https://*.liveperson.net https://*.lpsnmedia.net |
wss://va.msg.liveperson.net https://va.msg.liveperson.net https://va.msghist.liveperson.net https://va.tokenizer.liveperson.net https://va.idp.liveperson.net https://va.v.liveperson.net https://va.shiftstatus.liveperson.net https://z1.heimdall.liveperson.net https://cdn.lpsnmedia.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
Web Socket connection and requests to messaging system; requests for account configuration, consumer monitoring, identity provider (IDP), messaging history, secure forms, etc. |
| frame-src | https://*.lpsnmedia.net https://*.liveperson.net |
https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://va.msg.liveperson.net https://va.msghist.liveperson.net https://va.tokenizer.liveperson.net https://va.idp.liveperson.net https://va.v.liveperson.net https://va.shiftstatus.liveperson.net |
Requests to identity provider (IDP), messaging system, secure forms, messaging history, etc. |
| img-src | data: https://*.lpsnmedia.net |
data: https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the engagement and messaging window icons/images |
| media-src | blob: https://*.lpsnmedia.net |
blob: https://cdn.lpsnmedia.net https://lpcdn.lpsnmedia.net |
LivePerson media such as the messaging window message alert sound |
| script-src | unsafe-inline unsafe-eval https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline unsafe-eval https://cdn.lpsnmedia.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://lptag.liveperson.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' and 'unsafe-eval' must also be added to allow inline scripts to run |
| style-src | unsafe-inline https://*.lpsnmedia.net https://*.liveperson.net |
unsafe-inline https://cdn.lpsnmedia.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://lptag.liveperson.net https://va.v.liveperson.net |
Requests for consumer monitoring, account configuration data, and application code/content. 'unsafe-inline' must also be added to allow inline CSS to run |
If using explicit domains in your CSP instead of wildcard domains ('*'), then keep in mind that the subdomain of a given domain above may change slightly based on your account's LivePerson region/environment (i.e. 'va', 'lo'). Please contact LivePerson Technical Support if assistance is required (use the chat on this page, or message Support).
Using a 'nonce' and 'strict-dynamic'
Using a nonce and strict-dynamic in your CSP for scripts (script-src directive) is not recommended, but may be supported in certain situations. If desired, you must also implement the nonce when loading the Web Tag.
Testing
The "LivePerson Web Messaging Debugger" Chrome browser extension can be used to uncover CSP compliancy/compatibility issues with LivePerson web messaging/chat.
- The extension includes a developer tools panel that allows to verify that the required domains and CSP directives are not blocked on the current web page.
- This testing method is recommended for better future-proofing against future platform changes.
1. Pre-requisites
- Google Chrome or Microsoft Edge browser
- On the website, install the Web Tag
- Ensure the CSP is compliant for LivePerson web messaging according to the documentation.
2. Install the Chrome extension
- Navigate to the Chrome extension "LivePerson Web Messaging Debugger"
- Click on the “Add to Chrome” button to install the extension
- Click the “Add extension” button to install the extension
- Notice the new extension added by navigating to chrome://extensions/
*The extension can also be installed on the Microsoft Edge browser with similar steps.
3. Using the debugger
- Open the Developer Tools (View -> Developer -> Developer Tools)
- Click on the tab in the Developer Tools named LivePerson
- Wait for the view inside the tab to load..
- After the tab view has loaded, if the host webpage is properly tagged, then “Web Tag detected”, and the account number will show at the top of the tab view.
- If not, try reloading the webpage, closing/reopening the Developer Tools, or troubleshooting to make sure the Web Tag is integrated correctly on the webpage.
- In the tab view, click on "CSP"
- Read the gray instructions on how to start the test.
- After the test runs, follow the instructions given for next steps according to the results of the test
Strict CSP Mode
If you have defined a more stringent Content Security Policy (CSP) than what is recommended above (i.e. one that disallows unsafe inline styles and scripts from executing), then further account changes may be required to allow LivePerson Web Messaging to function properly.
In LivePerson Web Messaging, “Strict CSP Mode” can be enabled on your account to allow it to work with a CSP that disallows unsafe inline styles and scripts, albeit with some limitations.
How to enable:
- Whitelist the required LivePerson domains for specific directives of the CSP policy, so that they aren’t blocked by the browser (same as in the recommended solution)
- Determine whether you need to utilize a nonce and strict-dynamic for scripts. If so, you must also implement the nonce when loading the Web Tag.
- To have Strict CSP Mode enabled for your account, contact LivePerson Technical Support (use the chat on this page, or message Support).
Example
default-src 'self' *.lpsnmedia.net;
connect-src 'self' wss://*.liveperson.net *.liveperson.net *.lpsnmedia.net;
frame-src 'self' *.lpsnmedia.net *.liveperson.net;
img-src 'self' data: *.lpsnmedia.net;
media-src 'self' blob: *.lpsnmedia.net;
script-src 'self' *.lpsnmedia.net *.liveperson.net;
style-src 'self' *.lpsnmedia.net *.liveperson.net;
Strict CSP Mode known limitations:
- Strict CSP Mode only supported in Web Messaging (not Chat)
- Messaging window animations are not supported in Strict CSP Mode
- Based on technical limitations, Strict CSP Mode may affect the performance of the web messaging window (e.g. loading/rendering speed)
- Strict CSP Mode cannot be tested with the "LivePerson Web Messaging Debugger" Chrome extension