CSP requirements for the TrueEngage widget
Everything the widget loads or connects to at runtime, organized by CSP directive
This article lists everything the TrueEngage widget loads or connects to at runtime, organized by Content Security Policy (CSP) directive, so your team can allowlist it all upfront instead of discovering blocked resources one at a time.
Recommended policy
Merge these sources into your existing directives — keep your own 'self' and first-party origins. The lines marked optional are only needed if you enable that feature (voice, video, background blur, co-browse).
# --- scripts: external SDKs loaded lazily at runtime ---
# 'unsafe-eval' is required; voice/video SDKs also need wasm-unsafe-eval
script-src 'self' 'unsafe-eval' 'wasm-unsafe-eval'
https://cdn.jsdelivr.net
https://cdn.form.io
https://apps.mypurecloud.de; # Genesys region — see notes
# --- styles: injected inline + CDN stylesheets + web fonts ---
style-src 'self' 'unsafe-inline'
https://cdn.jsdelivr.net
https://cdn.form.io
https://fonts.googleapis.com
https://api.fontshare.com;
# --- network: APIs, websockets, telemetry, geo/IP ---
connect-src 'self' blob:
https://*.trueengage.com
wss://*.trueengage.com
https://cdn.jsdelivr.net
# Genesys (region-specific — replace mypurecloud.de with your org's region):
https://api.mypurecloud.de
wss://webmessaging.mypurecloud.de
https://*.mypurecloud.de
# voice/video media SDKs (only if voice/video enabled):
https://*.opentok.com wss://*.tokbox.com https://*.tokbox.com
https://*.vonage.com wss://*.vonage.com https://*.nexmo.com wss://*.nexmo.com;
# --- notification sounds (required) ---
media-src 'self' data: blob: mediastream:;
# --- images: icons/avatars incl. inlined webp + agent avatars from any host ---
img-src 'self' data: blob: https:;
# --- fonts (web fonts + inlined) ---
font-src 'self' data:
https://fonts.gstatic.com
https://cdn.fontshare.com
https://cdn.jsdelivr.net
https://cdn.form.io;
# --- frames: videos (customer URLs) + Genesys co-browse/messenger ---
frame-src 'self' https:
https://*.mypurecloud.de;
# --- worker threads (background blur / media pipeline) ---
worker-src 'self' blob:;
Notes & caveats
'unsafe-inline'for styles is required. The widget injects its UI styles inline at runtime.'unsafe-eval'for scripts is required. The widget evaluates configured custom scripts and AI-driven logic at runtime, and several voice/video SDKs (plus WebAssembly-based background blur, which also needs'wasm-unsafe-eval') rely on it. This is a hard requirement in the current build.- Genesys hosts are region-specific. The examples use the EU (Frankfurt /
mypurecloud.de) region. Replace with your organization's Genesys Cloud region across all Genesys entries (api.,webmessaging.,apps., and the wildcard). - The widget inlines assets as data: URIs to reduce network round-trips: audio (the notification sounds), images (some UI icons are inlined webp), and fonts. So data: is required on media-src, img-src, and font-src. It is not needed on script-src.