diff --git a/assets/js/crisp.js b/assets/js/crisp.js
new file mode 100644
index 00000000..79fcb4c2
--- /dev/null
+++ b/assets/js/crisp.js
@@ -0,0 +1,9 @@
+window.$crisp = [];
+window.CRISP_WEBSITE_ID = "d1d5816e-314a-45e4-9715-144347b1039a";
+(function () {
+ d = document;
+ s = d.createElement("script");
+ s.src = "https://client.crisp.chat/l.js";
+ s.async = 1;
+ d.getElementsByTagName("head")[0].appendChild(s);
+})();
diff --git a/src/index.ts b/src/index.ts
index f747b9bd..b39874cd 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -78,11 +78,39 @@ if (!DISABLE_SECURITY_RESPONSE_HEADERS) {
const cspConfig = {
directives: {
defaultSrc: ["'self'"],
- imgSrc: ["'self'", "data:", "stats.data.gouv.fr"],
- connectSrc: ["'self'", "stats.data.gouv.fr"],
- scriptSrc: ["'self'", "stats.data.gouv.fr"],
- styleSrc: ["'self'"],
- fontSrc: ["'self'", "data:"],
+ imgSrc: [
+ "'self'",
+ "data:",
+ "stats.data.gouv.fr",
+ "client.crisp.chat",
+ "image.crisp.chat",
+ "storage.crisp.chat",
+ ],
+ connectSrc: [
+ "'self'",
+ "stats.data.gouv.fr",
+ "wss://client.relay.crisp.chat",
+ "client.crisp.chat",
+ "storage.crisp.chat",
+ "wss://stream.relay.crisp.chat",
+ ],
+ scriptSrc: [
+ "'self'",
+ "stats.data.gouv.fr",
+ "settings.crisp.chat",
+ "blob:",
+ ],
+ styleSrc: ["'self'", "client.crisp.chat", "'unsafe-inline'"],
+ fontSrc: ["'self'", "data:", "client.crisp.chat"],
+ mediaSrc: ["'self'", "client.crisp.chat"],
+ frameSrc: ["'self'", "game.crisp.chat"],
+
+ scriptSrcElem: [
+ "'self'",
+ "client.crisp.chat",
+ "'sha256-RtdC0WqE+hX0MgZZk4QgMbkV1woYKbsuKQKKnWxsudI='",
+ ],
+ workerSrc: ["'self'", "blob:"],
// As for https://github.com/w3c/webappsec-csp/issues/8, the feature is debated
// and seems not useful for open id provider redirection.
// We bypass this security for now.
diff --git a/src/views/partials/head.ejs b/src/views/partials/head.ejs
index d21e2af0..4be27208 100644
--- a/src/views/partials/head.ejs
+++ b/src/views/partials/head.ejs
@@ -27,6 +27,8 @@
+
+