Skip to content
  • There are no suggestions because the search field is empty.

CSP requirements for the TrueEngage widget

Everything the widget loads or connects to at runtime, organized by CSP directive

This article lists everything the TrueEngage widget loads or connects to at runtime, organized by Content Security Policy (CSP) directive, so your team can allowlist it all upfront instead of discovering blocked resources one at a time.

Recommended policy

Merge these sources into your existing directives — keep your own 'self' and first-party origins. The lines marked optional are only needed if you enable that feature (voice, video, background blur, co-browse).

# --- scripts: external SDKs loaded lazily at runtime ---
# 'unsafe-eval' is required; voice/video SDKs also need wasm-unsafe-eval
script-src 'self' 'unsafe-eval' 'wasm-unsafe-eval'
  https://cdn.jsdelivr.net
  https://cdn.form.io
  https://apps.mypurecloud.de;   # Genesys region — see notes

# --- styles: injected inline + CDN stylesheets + web fonts ---
style-src 'self' 'unsafe-inline'
  https://cdn.jsdelivr.net
  https://cdn.form.io
  https://fonts.googleapis.com
  https://api.fontshare.com;

# --- network: APIs, websockets, telemetry, geo/IP ---
connect-src 'self' blob:
  https://*.trueengage.com
  wss://*.trueengage.com
  https://cdn.jsdelivr.net
  # Genesys (region-specific — replace mypurecloud.de with your org's region):
  https://api.mypurecloud.de
  wss://webmessaging.mypurecloud.de
  https://*.mypurecloud.de
  # voice/video media SDKs (only if voice/video enabled):
  https://*.opentok.com  wss://*.tokbox.com  https://*.tokbox.com
  https://*.vonage.com  wss://*.vonage.com https://*.nexmo.com   wss://*.nexmo.com;

# --- notification sounds (required) ---
media-src 'self' data: blob: mediastream:;

# --- images: icons/avatars incl. inlined webp + agent avatars from any host ---
img-src 'self' data: blob: https:;

# --- fonts (web fonts + inlined) ---
font-src 'self' data:
  https://fonts.gstatic.com
  https://cdn.fontshare.com
  https://cdn.jsdelivr.net
  https://cdn.form.io;

# --- frames: videos (customer URLs) + Genesys co-browse/messenger ---
frame-src 'self' https:
  https://*.mypurecloud.de;

# --- worker threads (background blur / media pipeline) ---
worker-src 'self' blob:;

 

Notes & caveats

  • 'unsafe-inline' for styles is required. The widget injects its UI styles inline at runtime.
  • 'unsafe-eval' for scripts is required. The widget evaluates configured custom scripts and AI-driven logic at runtime, and several voice/video SDKs (plus WebAssembly-based background blur, which also needs 'wasm-unsafe-eval') rely on it. This is a hard requirement in the current build.
  • Genesys hosts are region-specific. The examples use the EU (Frankfurt / mypurecloud.de) region. Replace with your organization's Genesys Cloud region across all Genesys entries (api., webmessaging., apps., and the wildcard).
  • The widget inlines assets as data: URIs to reduce network round-trips: audio (the notification sounds), images (some UI icons are inlined webp), and fonts. So data: is required on media-src, img-src, and font-src. It is not needed on script-src.