Search code examples
web-configbotframeworksharepoint-2013content-security-policydirect-line-botframework

How to set Content-Security-Policy to allow botframework scripts in web.config file

I'm adding a Direcline bot into my SharePoint page, I created a content editor webpart and added a HTML file in it, inside the html file I used the following code to call the bot,

         window.WebChat.renderWebChat(
        {
           directLine: window.WebChat.createDirectLine({
              token: 'tokenid'
           }),

           styleOptions,
           userID:emailid  ,
           username:user  ,
           locale: 'en-US',
           userAvatarInitials: 'iniital'
        },
        document.getElementById('webchat')
     );
     document.querySelector('#webchat > *').focus();

While loading the bot, i'm getting the following console error in chrome and the bot is not working.

Refused to connect to 'wss://directline.botframework.com/v3/directline/conversations/7BqkaBZaNQIKKjPc2VBAOw-h/stream?watermark=-&t=ew0KICAiYWxnIjogIlJTMjU2IiwNCiAgImtpZCI6ICJBT08tZXhGd2puR3lDTEJhOTgwVkxOME1tUTgiLA0KICAieDV0IjogIkFPTy1leEZ3am5HeUNMQmE5ODBWTE4wTW1ROCIsDQogICJ0eXAiOiAiSldUIg0KfQ.ew0KICAiYm90IjogIkNBU19OTFBfQm90IiwNCiAgInNpdGUiOiAiOVBrZGsxZFpfOU0iLA0KICAiY29udiI6ICI3QnFrYUJaYU5RSUtLalBjMlZCQU93LWgiLA0KICAibmJmIjogMTU3NzY4NzQ3NSwNCiAgImV4cCI6IDE1Nzc2ODc1MzUsDQogICJpc3MiOiAiaHR0cHM6Ly9kaXJlY3RsaW5lLmJvdGZyYW1ld29yay5jb20vIiwNCiAgImF1ZCI6ICJodHRwczovL2RpcmVjdGxpbmUuYm90ZnJhbWV3b3JrLmNvbS8iDQp9.PwUk4yQgpXZ_ohnTUAZzfnvG5NQTteaLvX5iDDPbC6nFrs_S7pICngcldf_R8ujPDFBQISSXNc3O7fF5ndX3Qqk8SHPl1jM2yOV0tkqxKu-C-4OvTr2sDW_k7vmGpvNQQrbiAQvVrimNydrr3a6B2coQlvNes1CdZopsi01wnanDNmXErJBkQnCQ0-yQvkSSP7PiiC8eQewUsVT6onCsvBpwWj-CoZ6TBmWZdYUcGtZRx1WkqyZwKvRbKtyqvr_S7jBfZlL51DozYBEQ4_C0bt2R2p-7MTlE6egUi9ZTSTNklVlIFBqw7_hdWR92NLsWZqWewGUb2RvapYaTpWObuA' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Because in my web.config file I do have this CSP header.

<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />

When I remove this header, I'm able to run the bot, and its working. but I don't want to remove this header in my web.config file, I want to explicitly mention this botframework URL so that it allows the bot to run.

So please help me how to explicitly set this header to allow the required scripts to run the bot.

Solution

  • Thanks for commenting the answer, by adding the wss: the issue is fixed.

    <add name="Content-Security-Policy" value="default-src https: data: wss: 'unsafe-inline' 'unsafe-eval'" />