A Content Security Policy is an HTTP response header that tells the browser which scripts are allowed to run on your page. If your site uses CSP, you need to authorize the Velaro domains or the widget will be blocked.

Required: add Velaro to your CSP

Add these entries to your Content-Security-Policy header:

Content-Security-Policy:
  script-src  'self' https://eastprodcdn.azureedge.net;
  connect-src 'self' https://api-visitor-us-east.velaro.com
                     https://api-engagement-us-east.velaro.com
                     https://signalr-engagement-us-east.velaro.com
                     wss://signalr-engagement-us-east.velaro.com;
  img-src     'self' data: https://eastprodcdn.azureedge.net;

• script-src https://eastprodcdn.azureedge.net — allows the Velaro widget scripts (shim and chat bundle) to load and run
• connect-src — allows the widget to reach the visitor API, engagement API, and the real-time chat hub (REST + WebSocket)
• img-src https://eastprodcdn.azureedge.net — allows agent avatars and widget images to display

You do not need 'unsafe-eval' or 'unsafe-inline'.

Why you need the CDN domain, not just a nonce

The Velaro widget loads in two stages. The shim script runs on your page and then loads the chat bundle inside a sandboxed iframe. Because the iframe is a separate document context, 'strict-dynamic' trust propagation from a nonce-authorized script does not reliably reach it across all browsers. Adding https://eastprodcdn.azureedge.net to script-src is the browser-consistent solution that covers both stages. A nonce on the embed tag alone does not guarantee the iframe load is permitted.

Troubleshooting