Content Security Policy (CSP)

Required directives

If your website uses a Content Security Policy, the following sources have to be added in order to use our widget. The sources to be added depend on what channels and integrations are enabled in your Widget settings.

The Trengo Widget uses the following sources in its default configuration (Website Chat without additional channels):

script-src 'unsafe-inline' 'unsafe-eval';
img-src data: https://*;
connect-src wss://;

Additional channels and integrations

The policies required for additional channels and integrations in your Widget are:

  • Twilio (SMS and phone calls via widget):
media-src mediastream
connect-src wss://


  • Surfly screen sharing:
frame-src 'self';
  • Help Center:
connect-src https://<your-help-center-domain>;


It is possible to use a nonce instead of 'unsafe-inline'. You will have to add an id and a nonce attribute to your Trengo Widget script-tag, and also add a new line to use the nonce.

<script type="text/javascript" id="trengo-widget-script" nonce="YOUR NONCE">
    window.Trengo = window.Trengo || {};
    window.Trengo.key = <YOUR WIDGET KEY>;
    (function(d, script, t) {
        script = d.createElement('script');
        script.type = 'text/javascript';
        script.async = true;
        script.src = '';

        // The following line enables the nonce
        script.setAttribute('nonce', (document.querySelector('#trengo-widget-script')||{}).getAttribute('nonce'));



More information

For more information about CSP and how to use nonces, visit:


CSP generation

It is also possible to generate a complete CSP for your website, using a browser plugin. For example: