Enabling Drift in your App's Content Security Policy (CSP)

Updated 5 months ago ​by Matt Bilotti

If your web app uses a Content Security Policy to safeguard your users from Cross-site Scripting vulnerabilities, you’ll need to whitelist our third party JavaScript before using Drift’s in-app messaging features to know, grow, and amaze your customers.

Content Security Policy (CSP) is a set of rules that define what content on a webpage can or cannot be loaded by a visitor’s browser. 

If your app doesn’t have a CSP, then you don’t need to do anything to set up Drift on your website beyond adding our JavaScript snippet to your webpage and integrating our JavaScript SDK into your web app. 

If you’re interested in learning more about the benefits of adding a CSPS to your site and how you can set one up, this article from Codeship is a great place to start.

If your site uses a CSP, here’s the minimal set of CSP rules needed to get up and running with Drift’s JavaScript SDK:

default-src 'self'; 
connect-src 'self' https://*.drift.com; 
script-src 'self' https://js.driftt.com; 
frame-src 'self' https://js.driftt.com; 
style-src 'self' https://js.driftt.com;

Quick explanation of these rules

Before we go into detail of what the CSP rules mean, it’s useful to have a high level overview. Our JavaScript snippet and our Segment integration work by dynamically adding a script tag to your page which loads our JavaScript SDK from our CDN. The majority of our assets are served from our CloudFront CDN at https://js.driftt.com. The widget also needs to connect to our APIs which are hosted at subdomains of drift.com.

connect-src

Our APIs are located at https://customer.api.drift.com, https://event.api.drift.com, and https://conversation.api.drift.com.

script-src

Our JavaScript SDK and in-app messaging tool are served from https://js.driftt.com.

style-src

Our CSS and inline style changes are served from https://js.driftt.com.

frame-src

Most of the Drift widget runs inside of an iframe that is served from our CDN. This means that the majority of assets and connects are sandboxed from your website.

Not using Drift yet? Get your free account here.


Was this article helpful?


Can’t find what you’re looking for?

Talk To Us