Content Security Policy (CSP) support

Recommended setup

The Web Widget supports websites that use a Content Security Policy (CSP) and follows Google's strict CSP guidelines. We recommend following Google's policy for the best support and easiest setup with the Web Widget.

When following these guidelines, add the nonce attribute to the Web Widget snippet.

<!-- Start of Zendesk Widget script -->
<script nonce="{random}" id="ze-snippet" src="https://static.zdassets.com/ekr/snippet.js?key=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"> </script>
<!-- End of Zendesk Widget script -->

This {random} value must be a unique cryptographic number that is generated by the server each time the CSP is transmitted.

Note: This security policy works with the new version of the Zendesk Web Widget snippet. Please ensure that your snippet looks like the example above by following these steps.

Custom setup (using other CSP directives)

We cannot guarantee that the Web Widget won't violate a custom CSP that does not follow Google's guidelines. However, if you add the following hosts to the default-src directive in your policy, it should prevent the Web Widget causing violations:

default-src 'self'
            https://static.zdassets.com
            https://ekr.zdassets.com
            https://{zendeskSubdomain}.zendesk.com
            wss://{zendeskSubdomain}.zendesk.com

If you have custom directives specified such as script-src or connect-src, add the hosts specified above.

Additional setup with legacy Chat

Add the extra hosts listed below:

https://*.zopim.com
https://*.zopim.io
https://*.zopim.io

You must also relax your policy for inline scripts and CSS styles by specifying 'unsafe-inline' in both the script-src and style-src directives. This is because the snippet and styles for chat are injected into the host page at runtime. An example header that uses a custom script-src directive would look like:

Content-Security-Policy: script-src 'self' https://static.zdassets.com https://ekr.zdassets.com https://{zendeskSubdomain}.zendesk.com wss://{zendeskSubdomain}.zendesk.com https://*.zopim.com wss://*.zopim.com https://*.zopim.org https://*.zopim.io 'unsafe-inline'; style-src 'unsafe-inline'