Securing Your Live Chat Widget with Trusted Domains and CORS Policy Configuration
Trusted Domains help secure your live chat widget by restricting where it can be embedded or accessed. This ensures only your approved websites can display and interact with the chat service, protecting your brand and customer data.

Why Use Trusted Domains?

Enabling the Trusted Domains setting ensures:

• Your chat widget loads only on allowed domains
• Unauthorized embedding is blocked
• Sensitive customer interactions remain secure

Steps to Configure Trusted Domains

Follow these steps to enable and set up trusted domains for your widget:

1. Navigate to: Admin > Chat > Live Chat.
   
   

   
   
   

2. Choose an existing widget or click Add Widget.

3. Navigate to Preference > Security under Chat Bot settings.

4. Toggle Enable Trusted Domains.
   
   

   
   
   

5. Add a trusted domain in the provided text field.
   
   

   
   
   

6. Use appropriate domain patterns:

   Domain Pattern	Access Rule
   example.bolddesk.com	Exact match (works for both HTTP and HTTPS)
   https://example.bolddesk.com	HTTPS-only match
   *.bolddesk.com	All subdomains of bolddesk.com
   *.bolddesk.com/sales	All subdomains with /sales path
   example.bolddesk.com/sales*	URLs starting with /sales (includes subpaths)
   example.bolddesk.com/sales	Exact path only (no subpaths)

7. Click Add Domain to include multiple entries.
   
   

   
   
   

After a Trusted Domain is added, the live chat widget will render on that specific domain.
Outside of the specified domain, the live chat widget will not render, and a console error indicating “not found” will be displayed.

Required: Update Your CORS Policy

Enabling Trusted Domains is not sufficient on its own. You must also configure your CORS (Cross-Origin Resource Sharing) headers and Referrer-Policy to allow the chat widget to communicate securely across origins.

Refer to this guide to update your CORS settings appropriately: Change Referrer-Policy (CORS) Settings

FAQs

1. What happens if I forget to add my domain?
The chat widget will not load. A “not found” error appears in dev tools.

2. Can I use wildcards?
Yes. For example, *.example.com covers all subdomains.

3. Does HTTPS matter?
Yes. Prefixing a domain with https:// enforces HTTPS-only matching.

4. Do I still need CORS settings if Trusted Domains are enabled?
Yes. Trusted Domains restrict access, but CORS controls cross-origin communication.

5. Can I add paths (e.g., /help)?
Yes. Path-level rules allow fine‑grained control over where the widget loads.

Related Articles

1. How to Set Up a Live Chat Widget in BoldDesk
2. How Agents Can Manage Notifications in Live Chat