Security-focused websites lock down their Content Security Policy by removing 'unsafe-inline' from style-src. Until now that broke the chat widget: the styles it injects into the page were blocked, leaving a bare, unstyled button instead of your chatbot.
The widget loader now supports CSP nonces. Pass your page's per-request nonce to the embed script and the widget applies it to everything it injects, so it works under the strictest policy with no 'unsafe-inline' required:
s.src = "https://sitespeak.ai/chatbots/YOUR_CHATBOT_ID.js";
s.nonce = "your-per-request-nonce"; // new
s.async = 1;
Then include the same nonce in your script-src and style-src CSP directives.
Nothing changes for existing installations: if you do not pass a nonce, the widget works exactly as it always has.
And if a Content Security Policy does block the widget styles, the widget now logs a clear warning in the browser console with a link to the fix, so a missing or mismatched nonce is easy to spot during integration.
