In case you are using a CSP policy (Content Security Policy) on your website, the Crisp chatbox will not work out of the box. You will need to add Crisp domains to your Content Security Policy rules.

Loose CSP Policy

This is the policy we recommend, as it will allow you to support any future Crisp domain update.

You can find below the wildcard domain ranges Crisp uses:

JS, CSS, fonts, settings, images, frames: https://*
WebSocket: wss://*


<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src *; style-src data: 'unsafe-inline' *; img-src data: *; frame-src *; font-src *; connect-src *">

Also, make sure to add unsafe-inline to your style-src policy (if any).

Strict CSP Policy

This policy may be updated anytime in the future. You may use the loose CSP policy rather if you want to avoid any problem if we update a domain in the future.


<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self' wss:// wss://">

In case your website requires strict CSP policies, you may allow the following domains:

JS, CSS, fonts, images:
Avatars, images:
WebSocket (messaging): wss://
WebSocket (calls, MagicBrowse): wss://
Files and assets: wss://

Also, make sure to add unsafe-inline to your style-src policy (if any).

Please note that Crisp also embeds Youtube, Vimeo and Dailymotion video links in the chatbox. You may adjust your CSP rules to allow domains from those services accordingly.
Was this article helpful?
Thank you!