Hi team, there’s some concern coming from client regarding some security with the yellow widget that implemented in their website.
So this client founds out that our widget iframe policy only has x-frame-options: ALLOWALL
rules, and no frame-ancestor
rules in content-security -policy
. Their concern is there’ll be possibilities where unauthorized third party can clone the chat widget script and put it on page other than client page which led to a scam page and client worry about that.
Is there any way we can strict the widget so it can be opened on specific page domain?