Cobrowse Security and Integrity
The Glance Cobrowse Service allows one or more customer service agents to view, in real time, the web browsing activity of visitors to a website. Agents see exactly what visitors see in their browsers, with the exception of the contents of designated masked fields, such as a credit card number or password.
This document outlines the mechanisms that guarantee security and integrity specifically of the Glance cobrowse service. Security of the Glance website, database infrastructure, and Glance login and account management is covered in the general Glance security whitepaper.
For definitions of terms, please see the glossary.
The Glance Cobrowse service relies on a
<script> tag embedded in each page of your website.
It loads a JavaScript file hosted by the Glance web server, and starts Cobrowse sessions when
your website visitors want them.
In this explanation we call this visitor javascript file Cobrowse.js.
Session Initiation
All visitor-initiated Cobrowse sessions require a way for the visitor to obtain the
Session keys are often hard-to-guess numbers like 65432.
unique session key
to share with the agent. The agent needs the key to join the session.
At Glance, we recommend using an HTML element, typically a button on the page.
For more information, please see Create and Add a Cobrowse Button.
Alternatively, you can allow the visitor to generate a session key with a hot-key combination such as Shift - Enter.
NOTE: We suggest you use an HTML element to initiate sessions, because visitors on mobile browsers cannot use hot-key combinations. And, some website visitors may struggle with certain hot-keys.
Content Security Policy (CSP)
If your website uses Content Security Policy (CSP) headers, they may need to be modified to allow your visitors to use Cobrowse sessions. See the CSP Headers section for modifying CSP headers.
NOTE:
If a customer disallows unsafe-inline styles, Cobrowse will continue to work as expected. However, you may see CSP violation warnings in the console that reference unsafe-inline styles being blocked, these are harmless and can be ignored.
Cobrowse Session Workflow
Refer to Security Architecture for a step-by-step breakdown of the Cobrowse Session Workflow.
Agent Group Policies
If your organization’s agents use Microsoft Edge,
you may have Group Policy Manager settings in place.
If so, please ensure that your agents' Trusted Sites include https://*.glance.net
to ensure your agents can connect to cobrowse sessions.
Field Masking (optional)
You may prevent sensitive visitor information from being shown to your agents while cobrowsing. For example, you may conceal your visitors' payment card numbers or taxpayer ID numbers from your agents. Use Field Masking to do this.
You can add an HTML attribute or class to each object you wish to mask. Or, you can identify them via CSS selectors in the Glance Admin Portal. You may find more information about masking here.
Firewall settings
To ensure your agents can connect and cobrowse properly with your visitors, your network team may need to place Glance’s URLs and IP addresses on your firewall's allow-lists.
Glance Cobrowse needs access to these URLs:
https://*.glancecdn.net
https://*.glance.net
If your network team requires specific blocks of IP addresses, contact Glance support (support@glance.net) for a list of ranges and ports.
The types of connections we use and their ports are:
| Type | Port | |
|---|---|---|
| TCP/IP | 5000 | |
| TCP/IP | 5001 | |
| HTTPS | 443 | |
| WSS | 443 | Secure WebSocket |
| HTTP | 80 |
If your agents have trouble accessing Glance Cobrowse services contact Glance support (support@glance.net).