Content Security Policy Header

I’m currently developing a chatbot using RASA. Now we want to include the chatbot in our website using

The guy from the website team asks me to set in’s Content Security Policy Header the default-src or connect-src value, since he get following error:

xyz.js:1 Refused to connect to ‘http://$OUR_URL$/’ because it violates the following Content Security Policy directive: “default-src https: http://localhost”. Note that ‘connect-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

When opening the website on a local server on localhost it works. It don’t works when the website is deployed to a server.

However I don’t find where I can set it.

Can anybody help? Thanks!

Mhm I am not sure we actually set that header. As far as I can see, the header is not specified anywhere. Juding by the docs for mozilla (chrome should do the same thing Content Security Policy (CSP) - HTTP | MDN) the browser should fallback to CORS headers if CSP is not present. You can specify the CORS headers when using rasa (e.g. using --cors "*" when running on the command line) does that work for you?