Chatlio with Content Security Policy (CSP)

You can use Chatlio with Content Security Policy (CSP) headers. If you load the Chatlio embed code from a javascript file, you can avoid the use of script-src 'unsafe-inline'.

Chatlio requires the following policies:

default-src 'self' https://w.chatlio.com;
script-src 'self' https://w.chatlio.com;
connect-src 'self' https://api.chatlio.com https://api-cdn.chatlio.com wss://push.chatlio.com wss://ws.pusherapp.com;
img-src 'self' data: https://w.chatlio.com https://avatars.slack-edge.com https://files.slack.com https://files-origin.slack.com https://secure.gravatar.com https://uploads-cdn.chatlio.com;
object-src 'none';
style-src 'unsafe-inline';

The above policies get an "All Good" from Google's CSP Evaluator.

If you prefer a slightly smaller, more liberal version you can use:

default-src 'self' https://*.chatlio.com;
connect-src 'self' https://*.chatlio.com wss://*.chatlio.com wss://ws.pusherapp.com;
img-src *;
object-src 'none';
style-src 'unsafe-inline' https://*.chatlio.com;

These rules still receive "All Good" from Google's CSP Evaluator.

Please contact us via our widget below if you have any questions or concerns about using Chatlio with CSP. We are happy to assist.