Loose CSP Policy
This is the policy we recommend, as it will allow you to support any future Crisp domain update.
You can find below the wildcard domain ranges Crisp uses:
JS, CSS, fonts, images, frames: https://*.crisp.chat
Strict CSP Policy
This policy may be updated anytime in the future. You may use the loose CSP policy rather if you want to avoid any problem if we update a domain in the future.
In case your website requires strict CSP policies, you may allow the following domains:
JS, CSS, fonts, images: https://client.crisp.chat
Avatars, images: https://image.crisp.chat
Also, make sure to add unsafe-inline to your style-src policy (if any).
Please note that Crisp also embeds Youtube, Vimeo and Dailymotion video links in the chatbox. You may adjust your CSP rules to allow domains from those services accordingly.
Published on: 03 / 11 / 2017