Kundo Chat: Domain names and security


With display rules in the chat flow settings you control where the chat can be included and when it should be displayed.

Here we provide some information and advice on what to think about when choosing permitted addresses, which is especially important if you handle sensitive information in the chat.

General information about origins and domains

Web security is in many ways linked to a particular origin. An origin is the combination of protocol (http or https), domain name and port (the port is a number that is sometimes displayed after the domain name in the address).

If you visit https://kundo.se, it has a different security context than https://kundo.fi, so logins and data storage are usually separated between these. http://kundo.se and https://kundo.se are also different origins since only one of them is secured with encryption.

Allowed origins for Kundo Chat

Kundo Chat can be used across several domains and origins, by sharing the user's access data across all the origins you have allowed. This way, the user can bring an ongoing chat to other pages, even if you use several different domains or origins.

You select for which pages the chat should be available in the display rules of the respective chat flow settings.

Use trusted domains

You should only add display rules for pages that you trust enough in relation to how sensitive the chat is. Scripts running on any of your allowed origins can read the user's token, which is used to join or read the chat. You should therefore only allow origins where you control, or trust, the scripts that can be run.

It is also important to only include the chat on https origins. Regardless of whether the chat is displayed on an encrypted page or not, all communication in Kundo Chat will be encrypted. However, pages delivered over http are sensitive to script injection, which can lead to leakage of the user's token and chat data.

Origins are shared between flows

The check of what origins are allowed is performed for all your chat flows in Kundo. If the display rules for a flow allow a certain origin, scripts on that origin can read the user's access token for your other chat flows as well.

The display-rules control where the chat can be initiated and the hide-rules where it can be run after it has started. An ongoing chat will be added to all other pages on one of your allowed origins where you have included Kundo Chat.

Guide tagged with: security