If your site sends a Content-Security-Policy header, allow the Productlane widget's hosts so the loader script and its iframe can load. Without these directives, the widget button does not appear and the browser console shows a CSP violation.
Add the widget's hosts to two directives:
Content-Security-Policy: script-src https://widget.productlane.com; frame-src https://widget-main-app.pages.dev;
script-src loads the widget loader from https://widget.productlane.com.
frame-src renders the widget itself, which runs in an iframe served from Productlane.
Merge these into your existing directives rather than replacing them. If you already set default-src, you still need the two entries above, because script-src and frame-src override default-src for their resource types.
The widget runs inside an iframe. Its own network activity, the support and chat API, the real-time live chat connection, fonts, and uploaded images, all happen under Productlane's origin inside that iframe, not under your page's origin. Your page's CSP governs only the loader script and the frame, so those two directives are enough. You do not need to add connect-src, font-src, or img-src entries for the widget.
Reload your page with the directives in place and open the browser console. A clean console and a visible widget button confirm the policy allows the widget. If you still see a Refused to load or Refused to frame error, the reported directive names the one to extend.
