Cobrowse Security and Integrity

The Glance Cobrowse Service allows one or more customer service agents to view, in real time, the web browsing activity of visitors to a website. Agents see exactly what visitors see in their browsers, with the exception of the contents of designated masked fields, such as a credit card number or password.

This document outlines the mechanisms that guarantee security and integrity specifically of the Glance cobrowse service. Security of the Glance website, database infrastructure, and Glance login and account management is covered in the general Glance security whitepaper.

For definitions of terms, please see the glossary.

The Glance Cobrowse service relies on a <script> tag embedded in each page of your website. It loads a JavaScript file hosted by the Glance web server, and starts Cobrowse sessions when your website visitors want them. In this explanation we call this visitor javascript file Cobrowse.js.

Session Initiation

All visitor-initiated Cobrowse sessions require a way for the visitor to obtain the Session keys are often hard-to-guess numbers like 65432. unique session key to share with the agent. The agent needs the key to join the session. At Glance, we recommend using an HTML element, typically a button on the page. For more information, please see Create and Add a Cobrowse Button. Alternatively, you can allow the visitor to generate a session key with a hot-key combination such as Shift - Enter.

NOTE: We suggest you use an HTML element to initiate sessions, because visitors on mobile browsers cannot use hot-key combinations. And, some website visitors may struggle with certain hot-keys.

Content Security Policy (CSP)

If your website uses Content Security Policy (CSP) headers, they may need to be modified to allow your visitors to use Cobrowse sessions.

If your CSP relies on the generic default-src directive to specify trusted protocols and hosts, the following need to be added to the list of default-src origins:

            wss://* https://*;

If your CSP uses more specific directives. add these origins to those directives.

connect-src wss://* https://*;

NOTE: If you self-host your Cobrowse javascript files, your CSP settings do not need to be modified except for `connect-src`.

Agent Group Policies

If your organization’s agents use Microsoft Edge or Internet Explorer, you may have Group Policy Manager settings in place. If so, please ensure that your agents' Trusted Sites include https://* to ensure your agents can connect to cobrowse sessions.

Field Masking (optional)

You may prevent sensitive visitor information from being shown to your agents while cobrowsing. For example, you may conceal your visitors' payment card numbers or taxpayer ID numbers from your agents. Use Field Masking to do this.

You can add an HTML attribute or class to each object you wish to mask. Or, you can identify them via CSS selectors in the Glance Admin Portal. You may find more information about masking here.

Firewall settings

To ensure your agents can connect and cobrowse properly with your visitors, your network team may need to place Glance’s URLs and IP addresses on your firewall's allow-lists.

Glance Cobrowse needs access to these URLs:

If your network team requires specific blocks of IP addresses, you may find the latest address block list here.

The types of connections we use and their ports are:

Type Port
TCP/IP 5000
TCP/IP 5001
WSS 443 Secure WebSocket
HTTP 80 Only for cobrowsing HTTP (not HTTPS) websites

We offer a firewall test page here. It tries to contact Glance's session servers and diagnoses problems. If your agents have trouble accessing Glance Cobrowse services we suggest you ask them to access the firewall test page from their workstations.

By continuing to use the site, you agree to the use of cookies. Learn More