• Documentation

About the widget security policy

The Customer Service Management widget can be embedded on any website and can be customized to match your brand. Read more about the widget.

About the widget content security policy (CSP)

The widget is powered by an Atlassian-hosted script which can be loaded onto your website and will inject a user interface powered by an iframe application.

Websites often use a content security policy as a security layer to control what content is allowed to load and run in the browser. This mainly protects against:

  • Cross‑Site Scripting (XSS) – blocking injected scripts or malicious inline JS

  • Untrusted third‑party content – restricting which domains can serve scripts, iframes, images, styles, etc.

  • Data exfiltration – controlling where the page is allowed to send data (for example, connect-src, form-action)

Because the CSP is enforced by the browser, anything that doesn’t match the site’s CSP rules will be blocked from loading or executing.

How the CSP can affect widget loading

Since embedding the CSM widget requires loading resources from a third-party (Atlassian) onto your website, your website’s CSP must permit the necessary resources to be loaded.

For the CSM widget, the following CSP policies can affect the widget and must be reviewed and allowed.

Script loading: script-src

The embed script is an inline script that injects another script from your Jira site ({site} below) once your website is loaded. If your website’s CSP script-src directive does not support this, the browser will block the script tag and the widget will never initialise.

For example, the embed script:

<script> window.csmWidgetSettings = { widgetId: "{widgetId}", site: "{site}", cloudId: "{cloudId}", } </script> <script> (function(){ if (typeof window.CSM === "undefined") { var CSM = function(){CSM.__q__.push(arguments);};CSM.__q__=[];window.CSM=CSM; var l = function() {var s = document.createElement('script');s.type="text/javascript";s.async=true;s.src="https://{site}/csm/widget/script.js?widgetId={widgetId}&site={site}&cloudId={cloudId}";document.body.appendChild(s);} if(document.readyState==="complete"){l();}else{window.addEventListener('load',l);} } }()) </script>

This setup supports a Strict CSP as described in Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)  |  Articles  |  web.dev.

These inline scripts subsequently load another script hosted by your Jira site, which is updated frequently for deployment of new features, security updates, and improvements – so it should not be cached, and a hash/integrity-based Strict CSP cannot be used for this specific script. Instead, we recommend using strict-dynamic source expression to allow it to load.

Iframe embedding: frame-src

The widget UI is driven via an iframe embedding your customer experience. Ensure your websites’s frame-src CSP expression doesn’t block the widget’s iframe origin, which is driven by the value provided as site in your widget embed script.

<script> window.csmWidgetSettings = { widgetId: "{widgetId}", site: "{site}", // <-- ensure this domain is allowlisted in `frame-src` cloudId: "{cloudId}", } </script>

To allow the widget user-interface iframe to load, ensure your frame-src directive allows the Jira site hostname defined in your widget settings.

Network calls: connect-src

While most network activity occurs within the widget iframe, a few calls are made directly from the embedding website in order to launch you widget and send operational metrics. We recommend you make sure your connect-src permits:

  • the Jira site hostname defined in your widget settings

  • https://as.atlassian.com

Styles and assets: style-src, img-src, font-src

While most of the resources used to display the user-interface for your widget are loaded from within the iframe embedding your customer experience, some additional resources (like brand images and fonts) may be loaded directly from your website to show on the user-interface around the iframe (like the widget launcher/bubble).

The style-src directive should allow:

  • unsafe-inline

The img-src and font-src directives should both allow:

  • the Jira site hostname defined in your widget settings

  • https://jcs-chat-widget.atlassian.com

  • https://api.media.atlassian.com

  • https://media-cdn.atlassian.com

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageAbout the widget content security policy (CSP)How the CSP can affect widget loadingScript loading: script-srcIframe embedding: frame-srcNetwork calls: connect-srcStyles and assets: style-src, img-src, font-src
CommunityQuestions, discussions, and articles