Cobrowse Security and Integrity
The Glance Cobrowse Service allows one or more customer service agents to view, in real time, the web browsing activity of visitors to a website. Agents see exactly what visitors see in their browsers, with the exception of the contents of designated masked fields, such as a credit card number or password.
This document outlines the mechanisms that guarantee security and integrity specifically of the Glance cobrowse service. Security of the Glance website, database infrastructure, and Glance login and account management is covered in the general Glance security whitepaper.
For definitions of terms, please see the glossary.
The Glance Cobrowse service relies on a
<script> tag embedded in each page of your website.
your website visitors want them.
All visitor-initiated Cobrowse sessions require a way for the visitor to obtain the
Session keys are often hard-to-guess numbers like 65432.
unique session key
to share with the agent. The agent needs the key to join the session.
At Glance, we recommend using an HTML element, typically a button on the page.
For more information, please see Create and Add a Cobrowse Button.
Alternatively, you can allow the visitor to generate a session key with a hot-key combination such as
NOTE: We suggest you use an HTML element to initiate sessions, because visitors on mobile browsers cannot use hot-key combinations. And, some website visitors may struggle with certain hot-keys.
Content Security Policy (CSP)
If your website uses Content Security Policy (CSP) headers, they may need to be modified to allow your visitors to use Cobrowse sessions.
If your CSP relies on the generic
default-src directive to specify trusted protocols and hosts,
the following need to be added to the list of
default-src https://glancecdn.net https://s3.amazonaws.com/glancecdn/ wss://*.glance.net https://*.glance.net;
If your CSP uses more specific directives. add these origins to those directives.
connect-src wss://*.glance.net https://*.glance.net; style-src https://www.glancecdn.net https://s3.amazonaws.com/glancecdn/; script-src https://www.glancecdn.net https://s3.amazonaws.com/glancecdn/; img-src https://www.glancecdn.net https://s3.amazonaws.com/glancecdn/;
Agent Group Policies
If your organization’s agents use Microsoft Edge or Internet Explorer,
you may have Group Policy Manager settings in place.
If so, please ensure that your agents' Trusted Sites include
to ensure your agents can connect to cobrowse sessions.
Field Masking (optional)
You may prevent sensitive visitor information from being shown to your agents while cobrowsing. For example, you may conceal your visitors' payment card numbers or taxpayer ID numbers from your agents. Use Field Masking to do this.
You can add an HTML attribute or class to each object you wish to mask. Or, you can identify them via CSS selectors in the Glance Admin Portal. You may find more information about masking here.
To ensure your agents can connect and cobrowse properly with your visitors, your network team may need to place Glance’s URLs and IP addresses on your firewall's allow-lists.
Glance Cobrowse needs access to these URLs:
https://s3.amazonaws.com/glancecdn/ https://*.glance.net https://www.glancecdn.net
If your network team requires specific blocks of IP addresses, you may find the latest address block list here.
The types of connections we use and their ports are:
|HTTP||80||Only for cobrowsing HTTP (not HTTPS) websites|
We offer a firewall test page here. It tries to contact Glance's session servers and diagnoses problems. If your agents have trouble accessing Glance Cobrowse services we suggest you ask them to access the firewall test page from their workstations.