Dev.DriftGuides

Securing Drift on your Site

Suggest Edits

If your web app uses a Content Security Policy to safeguard your users from cross-site scripting vulnerabilities, you’ll need to whitelist our third party JavaScript before using Drift’s in-app messaging features to know, grow, and amaze your customers.

A Content Security Policy (CSP) is a set of rules that define what content on a webpage can or cannot be loaded by a visitor’s browser.

📘

If your app doesn't have a CSP

Then you don’t need to do anything to set up Drift on your website beyond adding our JavaScript snippet to your webpage and integrating our JavaScript SDK into your web app.

If you’re interested in learning more about the benefits of adding a CSPs to your site and how you can set one up, this article from Codeship is a great place to start.

If your site uses a CSP, here’s the minimal set of CSP rules needed to get up and running with Drift’s JavaScript SDK:

script-src 'self' https://js.driftt.com; https://widget.drift.com; 
frame-src 'self' https://js.driftt.com; https://widget.drift.com;

👍

A few more steps for Salesforce Experience Builder (Community) Pages

First, add 'https://js.driftt.com' to the whitelist in Salesforce Experience Builder within Settings > Security > Trusted Sites for Scripts. Then, open Salesforce Setup and search for Content Security Policy Trusted sites, before adding that same URL as a Trusted Site with the 'Community' context.

Quick explanation of these rules

Before we go into detail of what the CSP rules mean, it’s useful to have a high level overview. Our JavaScript snippet works by dynamically adding a script tag to your page which then loads the Drift widget inside of an iframe that is hosted by our (Content Delivery Network) CDN.

script-src
This enables our JavaScript SDK (which exposes the Widget API and bootstraps the Drift widget's iframe) to be served from https://js.driftt.com.

frame-src
This enables the Drift widget's iframe to be loaded on your site from https://js.drift.com. The majority of the widget's assets are loaded from within this iframe so they are already sandboxed from the rest of your sites content.

Updated about 2 years ago