Consulta sobre Content Security Policy (CSP) y el Chatbot de Jotform

  • Longwood_marketing
    Fecha de consulta 3 de julio de 2025, 7:56

    Hola,

    Hemos integrado su chatbot en nuestra página de WordPress mediante el plugin oficial. Por motivos de seguridad, tenemos activada una Política de Seguridad de Contenido (CSP) que impide que el chatbot se cargue correctamente.

    Nuestro equipo técnico necesita conocer la lista completa de todos los dominios y subdominios desde los que el chatbot carga recursos para poder autorizarlos en nuestra CSP.

    ¿Podrían facilitarnos esta lista, por favor?

    Muchas gracias.

    Page URL: https://lab.citogen.es
  • Gian_D Jotform Support
    Fecha de respuesta 3 de julio de 2025, 8:58

    Hi Longwood_marketing,

    Thanks for reaching out to Jotform Support. Unfortunately, our Spanish Support agents are busy helping other Jotform users at the moment. I'll try to help you in English using Google Translate, but you can reply in whichever language you feel comfortable using. Or, if you'd rather have support in Spanish, let us know and we can have them do that. But, keep in mind that you'd have to wait until they're available again.

    As for your issue, you can add a Jotform URL to your WordPress header by following this guide. Once you've added the Jotform URL, you can then use this script to embed your AI Agent on your WordPress website:

    <script
    
  src="https://cdn.jotfor.ms/agent/embedjs/    {AI_AGENT_ID}/embed.js?skipWelcome=1&maximizable=1">
    
</script>

    After that, can you test your website to see if it's going to work?

    Once we hear back from you, we'll be able to help you with this.

  • Longwood_marketing
    Fecha de respuesta 31 de julio de 2025, 5:49

    We’ve added the embed script for the AI Chatbot to our WordPress site, but our Content Security Policy is still blocking various resources. To get this working without disabling CSP, we need the complete list of domains and subdomains that the chatbot loads resources from (scripts, APIs, fonts, websockets, etc.).

    Could you please provide us with all the hostnames we must allow in our script-src, connect-src, font-src, and any other relevant directives?

  • Joeni Jotform Support
    Fecha de respuesta 31 de julio de 2025, 6:40

    Hi Longwood_marketing,

    To ensure that your Content Security Policy (CSP) supports the chatbot’s functionality without compromising security, try whitelisting the necessary domains and subdomains the chatbot relies on to load scripts, APIs, fonts, and websockets.

    Although a comprehensive public list of every domain used by the chatbot may not be available, you should generally allow the following in your CSP directives:

    • script-src
    • connect-src
    • font-src

    Also, Jotform utilizes the following domains to deliver various services and resources. For seamless chatbot performance and to avoid issues with resource loading, it's advisable to include these in your CSP whitelist:

    • jotform.com
    • jotform.net
    • jotform.us
    • jotmails.com
    • jotservers.com
    • s3.amazonaws.com

    Since the chatbot is embedded using a script from cdn.jotfor.ms, this domain must be permitted under the script-src and font-src directives. Also, API calls and websocket connections typically interact with jotform.com and its subdomains. To prevent any resource-blocking issues, be sure to include these domains in the relevant Content Security Policy (CSP) directives.

    Give it a try and let us know how it goes.