Salesforce Communities / Experience

Salesforce Communities / Experience

Experience builder CSP security level

In the Security & Privacy section of the experience builder settings is a subsection called Content Security Policy (CSP). The setting "Security Level" needs to be set to "Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts". This unlocks the ability to set CSPs for Talkative URLs.

Experience Builder Trusted Sites

The following are a list of sites that need to be added to the "Trusted Sites for Scripts" subsection found in the "Security & Privacy" section of the experience builder.

• Engage US 
  • reason: loading js script for widget from main engage website
  • url: https://us.engage.app etc.
• Talkative CDN
  • reason: loading additional script files from the Talkative CDN
  • url: https://talkative-cdn.com

CSP Trusted Sites

These sites need to be added to the org's CSP trusted sites list. This can be found in the settings area of the main org (not in the experience builder). Go to Settings, then in the sidebar menu search box type "CSP Trusted Sites". Click the link in the sidebar to take you to the index page that allows you to create new CSP trusted site entries.

• Engage s3 bucket
  • reason: handles file uploads / avatar
  • URL, either:
    • https://us-engage-app.s3.us-east-2.amazonaws.com/
    • https://eu-engage-app.s3.eu-west-1.amazonaws.com/ 
  • allow: img-src, media-src
  • context: Experience Builder Sites
• Engage main site:
  • reason: js http communication with engage api
  • URL, either:
    • https://us.engage.app
    • https://eu.engage.app
  • allow: connect-src
  • context: Experience Builder Sites
• sentry
  • reason: error logging
  • url: https://sentry.io
  • allow: connect-src
  • context: Experience Builder Sites
• pusher sockjs
  • reason: websockets realtime connection
  • URL, either:
    • https://sockjs-us2.pusher.com
    • https://sockjs-eu.pusher.com
  • allow: connect-src
  • context: Experience Builder Sites
• pusher websocket
  • reason: websockets realtime connection
  • URL, either: 
    • wss://ws-us2.pusher.com 
    • wss://ws-eu.pusher.com 

• • allow: connect-src
• Talkative video CDN
  • reason: WebRTC-powered voice/video connection
  • URL: https://talkative-cdn.com/
• Cobrowse
  • reason: websocket connection for cobrowse connection
  • URL, either:
    • wss://eu.talkative-ws.com/
    • wss://us.talkative-ws.com/

Adding script snippet

In the experience builder settings, go to the "Advanced" section, then click "Edit head markup". Then paste the snippet into the newly opened code editor.