The Display Messages with Static Source feature determines how the iframe content is loaded for on-site messages. There are two supported methods for iframe integration depending on whether this feature is enabled or disabled.

How to Access and Enable the Feature

1. Go to the Settings:
   • Navigate to Settings..
2. Access the Integrations Section:
   • Under Integrations, go to Applications to manage your app settings.
3. Click the "New" Button:
   • On the Applications page, you will see a button labeled New.
4. Select "Website" as the type:
   • When the new screen opens, choose Website as the type.
5. Enable "Onsite Messaging":
   • In the settings for the website integration, find the option labeled Onsite Messaging.
   • Enable this option to allow you to display messages on the site.
6. Enable or Disable "Display Messages with Static Source":
   • You will now see the "Display Messages with Static Source" setting
     • Enabled: Web SDK will use an initiator file as src on iframes, this helps when the website does not allow data:text/html in src attribute.
     • Disabled: Web SDK will use data:text/html as src on frames.

Methods

1. Default Method (Feature Disabled)

This method is applied when the Display Messages with Static Source feature is disabled.

It is the method where the iframe’s src attribute starts with data:text/html followed by the HTML of the onsite content, placed using uriencoding.

2: New Method (Feature Enabled)

This method is applied when the Display Messages with Static Source feature is enabled.

In this method, the src attribute of the iframe includes the URL of a common file:
https://{CDN_DOMAIN}/onsite-initiator/index.html
This file receives the HTML of the onsite content as a message and displays it inside.

Some users have a Content Security Header defined on their website.
This header includes a frame-src rule, which controls what values are allowed in the src attribute of an iframe.

For the data:text/html method to work, the frame-src rule must include the value data:*.
However, in certain cases, customers may choose not to include it due to their internal security policies or preferences.

To support such scenarios, we introduced this new method.

What is Content Security Policy (CSP)?

Content Security Policy (CSP) is a security feature that helps protect websites from certain attacks, mainly Cross-Site Scripting (XSS) and Clickjacking. CSP tells a web browser what it can and cannot load from different sources, providing an extra layer of protection.

CSP and the "Display Messages with Static Source" Feature

Display Messages with Static Source controls how messages are shown inside an iframe on a webpage.

• If the feature is disabled, the iframe uses data:text/html (which is a method of embedding HTML directly into the iframe).
• If the feature is enabled, the iframe loads its content from a URL hosted on a trusted server such as CDN.