I am currently deploying Web Messaging on a high-security banking portal. I have added *.mypurecloud.com to our Content Security Policy (CSP) headers, but I am still seeing ‘Refused to connect’ errors in the browser console for some of the messaging assets. Specifically, it seems to be blocking the ‘Fonts’ and some ‘WebSocket’ connections. Is there a comprehensive list of all the domains and protocols that need to be allowed in a restrictive CSP for a full Web Messaging deployment?
Hey Hay84! I am a recording export specialist and I deal with these security headers all the time. For fonts, you must include fonts.gstatic.com and fonts.googleapis.com in your font-src directive, as the messaging widget pulls some assets from Google. For the WebSockets, make sure you are using the wss: protocol in your connect-src. Just allowing the domain is often not enough if the protocol is not explicitly whitelisted.
I have seen many students struggle with this during their certification labs. To follow up on Han64, you should also check the frame-src directive. Since the messaging widget is hosted in an iframe, your banking portal must allow the Genesys Cloud domain to be framed. If you forget this, the widget will never even start to load!
Hello everyone! I am a Genesys PS consultant and I want to add that for some regions, you might also need to whitelist the specific regional AWS endpoints (like *.amazonaws.com) for media uploads and recording playback. I have a detailed ‘CSP Hardening Guide’ for Genesys Cloud that lists every single endpoint for the US-East, EMEA, and APAC regions if you would like me to share it!