Is it possible to Yellow chat widget iframe to be strictly opened in certain origin only?

Hi team, there’s some concern coming from client regarding some security with the yellow widget that implemented in their website.

So this client founds out that our widget iframe policy only has x-frame-options: ALLOWALL rules, and no frame-ancestor rules in content-security -policy. Their concern is there’ll be possibilities where unauthorized third party can clone the chat widget script and put it on page other than client page which led to a scam page and client worry about that.

Is there any way we can strict the widget so it can be opened on specific page domain?


Moving this question to the #channels section

Namaste @EgrianoA

We can whitelist the domain(s) where bot needs to be deployed. Bot will then be accessible only via those domain(s). Please raise Engineering support request on PSD board along with list of domain(s).

1 Like

Got it @akshay_bhat, I’ll confirm with the client and create a request after got the list of IPs. Thanks!