Security & compliance

Content Security Policy (CSP) Headers

If your website uses a Content Security Policy (CSP), you may need to update it to allow Eloquent Chat to load and operate correctly.

This article explains which CSP headers are required when using Eloquent and why they are needed.

What Is Content Security Policy?

Content Security Policy is a browser security mechanism that helps prevent cross-site scripting (XSS) and other injection attacks by controlling which sources are allowed to load scripts, frames, and other resources.

If your CSP is too restrictive, the Eloquent Chat widget may not load or function as expected.

You can learn more about CSP headers on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Why Eloquent Requires CSP Configuration

Eloquent Chat loads JavaScript assets and embeds the chat interface from Eloquent-managed domains.
To ensure the widget works reliably, these domains must be explicitly allowed in your CSP.

Without the correct configuration, you may experience:

  • The chat widget not appearing
  • Company tracking and analytics not loading correctly
  • Console errors related to blocked scripts or frames

Required CSP Directives

To embed agents on your site, make sure the following directives are included in your Content Security Policy.

Script Sources (script-src)

Eloquent loads scripts from the following domains:

script-src radar.eloquent.chat eloquent.chat cdn.eloquent.chat

These domains are used for:

  • Loading the main Eloquent.chat widget
  • Serving static assets from the CDN
  • Handling company tracking and analytics

Frame Sources (frame-src)

The chat interface is rendered inside an embedded iframe:

frame-src eloquent.chat

This allows the Eloquent.chat UI to be displayed on your website.

Example CSP Configuration

Below is an example of how the required directives can be added to an existing CSP header.

Content-Security-Policy:
  script-src 'self' radar.eloquent.chat eloquent.chat cdn.eloquent.chat;
  frame-src 'self' eloquent.chat;

Make sure to merge these values with your current policy rather than replacing it entirely.

Troubleshooting

The chat widget does not load
Check that all required domains are present in script-src.

The chat iframe is blocked or blank
Verify that eloquent.chat is included in frame-src.

CSP errors in the browser console
Look for blocked resource messages and confirm your CSP matches the configuration above.

Need help

If you’re unsure how to update your Content Security Policy or run into issues after making changes, contact support and include:

  • Your current CSP header
  • The URL where the issue occurs
  • Any browser console error messages

We’re happy to help you get everything set up correctly.

Vorige

GDPR readiness

Volgende

Plans