Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Content security policy

Updated on March 16, 2021

The Content Security Policy (CSP) is a set of directives informing the user's browser of locations from which an application can load resources. These locations are provided in the form of URL schemes, including an asterisk (*) to represent all URLs. Each directive governs a specific resource type that affects what is displayed in a browser. Collectively, the directives are sent to the client in the Content-Security-Policy HTTP header. Each browser type and version obey as much of the policy as they can. If a browser does not understand a directive, it is ignored; otherwise, it is explicitly followed.

Pega Customer Service Implementation Guide Pega Customer Service Implementation Guide

Configuring CSP for Legacy Webchat

Configure the CSP directives so that browsers load resources only from authorized websites.

Before you begin: Create your content security policy. For more information, see Creating a content security policy.
  1. In the Dev Studio header, click the application, and then click Definition.
  2. On your application page, click the Security tab.
  3. In the Content security section, press the down arrow, and then select the policy name for which you want to configure the derivatives.
  4. To configure the CSP directives for the selected policy, click the Open icon beside the policy name.
    Content security policy
    Content security policy
    The system opens the <policy name> page with the Policy Definition tab where you can configure the content security policy derivatives. For more information on CSP derivatives, see Content security policies.
  5. On the Policy Definition tab, in the Content Security Policy section, expand the section of the directive for which you want to list allowed websites.
  6. Under Allowed websites, click the Add a row icon.
  7. In the Allowed websites field, enter the URL of the website for which to grant access.
    For Legacy Webchat, enter the chat URL in the Allowed websites field for Connect-Source, Script-Source, and Image-Source directives.
  8. In the Notes field, enter a short description about why the site should have access.
  9. Click Save to save the CSP directives.
  10. On your application page specify whether to enforce the policy, or to report usage of the policy without enforcing the policy, by selecting either of the following modes:
    • Reject and report – Enforces the policy.
    • Report only – Reports, but does not enforce the policy.
  11. Click Save to save all the changes on the application page.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us