Content Security Policies (CSPs) for Zoho Assist Cobrowse
If your website uses Content Security Policies (CSPs), they may restrict the functionality of Zoho Assist Cobrowse. When CSP settings block Zoho Assist’s cobrowse service, the connection fails and an error appears in the browser’s JavaScript console.
You may see an error similar to the following, indicating that the WebSocket connection required for cobrowse is being blocked by your current CSP configuration.
connecting to wss://ch1.zohoassist.com/... violates the following Content Security Policy directive: "connect-src 'self'"
Allowing Zoho Assist Cobrowse in your CSP
To ensure Zoho Assist Cobrowse functions correctly, update your CSP to permit connections to Zoho Assist’s cobrowse APIs and WebSocket endpoints.
Note :
Add the necessary HTTPS and WebSocket (wss://) endpoints to the connect-src directive in your CSP.
Ensure the appropriate script-src entries are included for loading Zoho Assist resources.
- If your organization enforces strict CSP rules, you may replace 'unsafe-inline' with hash-based or nonce-based sources in accordance with your internal security policies.
Use the CSP configuration that corresponds to your Zoho Assist Data Center (DC). Applying the correct DC-specific CSP helps prevent connection failures and ensures seamless cobrowsing.
CSP configurations (DC-specific)
<!DOCTYPE html>
<html lang="en">
<head>
<!-- US DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.com;
connect-src 'unsafe-inline'
https://assist.zoho.com
wss://*.zohoassist.com;">
<!-- EU DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.eu;
connect-src 'unsafe-inline'
https://assist.zoho.eu
wss://*.zohoassist.com;">
<!-- IN DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.in;
connect-src 'unsafe-inline'
https://assist.zoho.in
wss://*.zohoassist.com;">
<!-- CN DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com.cn
https://assist.zoho.com.cn;
connect-src 'unsafe-inline'
https://assist.zoho.com.cn
wss://*.zohoassist.com;
wss://*.zohoassist.com.cn">
<!-- JP DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.jp;
connect-src 'unsafe-inline'
https://assist.zoho.jp
wss://*.zohoassist.com;">
<!-- AU DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.com.au;
connect-src 'unsafe-inline'
https://assist.zoho.com.au
wss://*.zohoassist.com;">
<!-- SA DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zoho.sa;
connect-src 'unsafe-inline'
https://assist.zoho.sa
wss://*.zohoassist.com;">
<!-- CA DC -->
<meta http-equiv="Content-Security-Policy"
content="
script-src 'unsafe-inline'
https://static.zohocdn.com
https://assist.zohocloud.ca;
connect-src 'unsafe-inline'
https://assist.zohocloud.ca
wss://*.zohoassist.com;">
</head>
<body>
</body>
</html>