A Content Security Policy (CSP) can be used by administrators to control what assets a user visiting a landing page is able to load, and from what domain(s) they are allowed.
This article is for administrators who may have a CSP present on their landing page and need to know which directives to add our domain to in order to allow Chili Piper Concierge resources to load, such as our marketing.js script file and related iframe popup window.
Directives
As a fallback, this directive is used:
- default-src
At a minimum, an administrator should include *.chilipiper.com to their "default-src" CSP directive.
That way, if none of the other directives (listed below) are present, it will still allow Chili Piper to function.
CSP has several specific directives that may need to be modified to allow-list Chili Piper's domain if they are present.
The directives that may impact Chili Piper from loading include:
- connect-src
- script-src
- frame-src
Allowing Chili Piper Resources
The following domain should be added to all directives listed above:
- https://*.chilipiper.com
The asterisk (*) in this case acts as a wildcard to allow any resource loading from any Chili Piper subdomain to run correctly.
If you want to get more specific on the domain, you should be allowing the following domains:
- https://js.chilipiper.com
- https://api.chilipiper.com
- https://apps.chilipiper.com
- https://fire.chiliipiper.com
Information on this page is subject to change. As a result, we recommend using wildcards whenever possible to allow Chili Piper resources to function.
If your landing page does not currently have an active CSP, the above information will not be required for Chili Piper or Concierge to function.
If you don't have access to modify your CSP, or are not sure if you have one, please reach out to your web development team for more information.
Failure to properly include Chili Piper in a CSP can result in Concierge not loading when a form is submitted.