Skip to main content
If your website enforces a Content Security Policy, add the following directives so the chat widget can load.

Required directives

Merge these with your existing CSP values. 
Content-Security-Policy:
  script-src https://platform.typewise.app 'unsafe-inline';
  connect-src https://platform-api.typewise.app https://*.ably.net wss://*.ably.net https://*.ably-realtime.com wss://*.ably-realtime.com;
  style-src 'unsafe-inline';
  img-src https://platform-uploads.typewise.app data:;

Optional: file attachments

connect-src ... https://*.s3.eu-central-1.amazonaws.com;

Optional: voice input

connect-src ... wss://api.elevenlabs.io;

Directive reference

script-src

ValueReason
https://platform.typewise.appHosts the SDK bundle (sdk.js)
'unsafe-inline'Installation snippet sets window.twConfig inline
To avoid 'unsafe-inline' in script-src, add a nonce to the inline script and use 'strict-dynamic':
script-src 'nonce-YOUR_NONCE' 'strict-dynamic';
This does not eliminate 'unsafe-inline' from style-src. The widget injects styles at runtime and does not support style nonces.

connect-src

ValueReason
https://platform-api.typewise.appAPI calls
https://*.ably.net wss://*.ably.netReal-time messaging
https://*.ably-realtime.com wss://*.ably-realtime.comReal-time messaging failover
https://*.s3.eu-central-1.amazonaws.comFile uploads (if attachments enabled)
wss://api.elevenlabs.ioVoice input (if voice enabled)

style-src

ValueReason
'unsafe-inline'The widget injects styles at runtime. Nonces aren’t supported. Not optional.

img-src

ValueReason
https://platform-uploads.typewise.appWidget logo and bubble icon
data:Inline UI icons bundled in the SDK

Verify your CSP

1

Open your website

Load the page with the chat widget installed.
2

Open the console

Press F12, go to the Console tab.
3

Look for CSP errors

Errors start with Refused to load or Refused to connect and name the blocked domain and directive.
4

Add the blocked domain

Add it to the matching directive in your CSP header.

Troubleshooting

SymptomCheck
Widget doesn’t appearscript-src missing https://platform.typewise.app
Messages don’t send or arriveconnect-src missing https://platform-api.typewise.app or Ably domains
Widget unstyled or broken layoutstyle-src missing 'unsafe-inline'
File uploads failconnect-src missing https://*.s3.eu-central-1.amazonaws.com
Real-time messages intermittentconnect-src missing *.ably-realtime.com failover domains

See also