10Creating Configuration Files for Privacy and Security

Overview: Configuration Files for Privacy and Security

For cobrowsing to be effective, customers must be assured that their privacy and security are maintained during an interaction where an agent can see the customer’s screen.

  • Page masking is applied to block certain web content from showing on an agent’s screen.

  • Application masking is applied to specific applications.

  • Field blocking masks specific areas on a page that must be blocked from an agent’s view, such as a credit card number field on a web form.

  • Agent controls define what the agent can see and what functions they can perform.

Security and privacy options are handled differently within the two modes of Oracle Cobrowse:
  • In Instant Mode, only website content tagged with Cobrowse Javascript can be viewed by the agent. For any content that includes sensitive customer data, the Cobrowse script can be configured to prevent the agent from viewing these pages. Additionally, field blocking can be applied to prevent viewing sensitive form fields during a Cobrowse session (examples: credit card numbers, social security numbers, etc.).

  • In Advanced Mode, any combination of website and desktop content can be visible to the agent. This is not limited to website pages tagged with Cobrowse Javascript, but is controlled within the configuration.

Planning your configuration: As part of initial scoping or planning for a Cobrowse configuration project, it is important to identify requirements for each of the areas listed above. Think through what information should be masked from an agents view. Content subject to PCI and HIPAA compliance (e.g., credit card numbers, social security numbers) is often masked. Additionally, password reset pages as well as responses to validation questions (e.g., “in what city were you born”) are often masked. Submit buttons to purchase products or execute trades are often where agents are prevented from using full control.

Working with masking files: Masking should be performed at the root company level as it is Site ID dependent. Before you can configure your masks on your site, you must first create a configuration file in an .xml format to be uploaded to your site. Page blocking may be configured by page title, page URL, or by both page title and URL. When masking by both page title and URL, the application will use titles only if the browser does not support URL-based masking.

Note: For certain Cobrowse ICB deployments (for example, Cloud) the presence of a page masking configuration affects the deployment instructions available on the Cobrowse V4 /Configuration page.

Configure Page Masking

Follow this procedure to configure page masking by page title and URL.

Details on preparing your page blocking files are in the following procedures:
  1. Click Products, and then select Co-browse V4 > Masking Configuration (V3/V4).

  2. Select the SiteID you are configuring page masking for.

    In the Status column, a red button indicates that a configuration file has not been uploaded and a green button indicates that a configuration file has been uploaded.
  3. Click Configure in the Page blocking row to upload a page masking configuration file.

    The page will reload.
  4. Click Choose Configuration File and browse to your configuration file in xml format.

  5. Click Save.

    The configuration file is committed. If you try to leave this page without saving your changes, a warning message appears that your changes will be lost. Once the configuration file is committed, you can view the file by clicking View configuration. If you want to delete a configuration file that has been committed, click Delete configuration.

    Masking Pages by Page URL

    There are three properties to configure for page masking by page URL.

    Configure a list of URL patterns to show (ltb_urls), a list of URL patterns which should be masked inside of the previous list (ltb_urls_exc), and a list of URLs to show but were included in the previous list under general rules (ltb_urls_force_inc). URL patterns are used to configure URL-based page blocking. The URL can be represented with the following structure:

    <PROTOCOL>://<DOMAIN>/<PATH>?<PARAMS>#<HASH>

    For example, with this URL:

    http://retail.com/coffeemakers/FastBrew.html?q=fdserew&t=retail#email

    <PROTOCOL> is http, <DOMAIN> is retail.com, <PATH> is coffeemakers/FastBrew.html, <PARAMS> is q=fdserew&t=retail, and <HASH> is email.

      Use Wildcards in URL Page Masking

      You can use wildcards (* and +) as a first or last character in each part of the URL pattern for page blocking configurations.

      The wildcard ‘*’ means that there can be zero or more characters in place of the ‘*’ symbol. The only special case here is when the ‘*.’ appears at the beginning of the <DOMAIN>. For example, http://*.google.com/*?*#* matches both http://www.google.com and http://google.com URLs.

      Note: The MS Edge browser removes “www” from URLs, so do not include “www” in your wildcard masking pattern. For example, use http*://*.google.com/*?*#* to match https://www.google.com instead of http*://www.google.com/*?*#*.

      The wildcard ‘+’ means that there should be at least one character in place of the ‘+’ symbol.

      While it is usually sufficient to have ‘*’ in place of <PARAMS>, you can further specify it if you need more fine-grained configuration with a “<KEY_1>=<VALUE_1> and <KEY_2>=<VALUE_2>…” format and using a wildcard as a first or last character in the <VALUE> part.

      Examples

      http*://*.retail.com/*?*#*

      This pattern matches all URLs from the retail.com domain:
      • http://www.retail.com

      • http://retail.com

      • https://support.retail.com/credit/financing.aspx?itemtype=CFG&s=biz&l=en &c=us& #dbc_app~b4qjrr

      http://ecomm.retail.com/kitchen/basket.aspx

      This pattern only matches http://ecomm.retail.com/kitchen/basket.aspx. The following URLs do not match this pattern:
      • http://ecomm.retail.com/kitchen/basket.aspx#payppcc~

      • http://ecomm.retail.com/kitchen/basket.aspx?c=us

      • https://ecomm.retail.com/kitchen/basket.aspx

        Example: Configure Page Masking by Page URL

        The following .xml is an example of a URL-based page masking configuration.

        <configuration>
            <siteCode id="<SITE_ID>" currentState="Active">
                <module id="LTB" scope="SITE">
                    <param id="ltb_urls">
                        <value text="http*://*.livelook.com/*#*" title="" seqId="0" />
                    </param>
                    <param id="ltb_urls_exc">
                        <value text="https://*/*#*" title="" seqId="0" />
                    </param>
                    <param id=" ltb_urls_view_only_mode">
                        <value text="https://www.livelook.com/checkout.apsx" title="" seqId="0" />
                		</param>
        				</module>
            </siteCode>
        </configuration>
        With this configuration, all HTTP URLs from the livelook.com domain and only one HTTPS page (https://www.livelook.com/checkout.apsx) will be visible, as illustrated below. The black boxes represent masked URLs, and the white boxes represent visible URLs.
        Image depicting a white box within a black box within a white box within a black box. The innermost white box is the URLs forced inclusion list (such as https://www.livelook.com/checkout.apsx); the black box around it is the URLs exclusion list, the white box around that is the URLs inclusion list (such as *.livelook.com), and the outside black box is all domains.

        The variable <param id=" ltb_urls_view_only_mode"> further specifies that remote control access is suspended on https://www.livelook.com/checkout.apsx and the agent may only view the page. The agent will see a red border on that page and will receive a notification that control is suspended.

          Application Masking

          Application masking controls the visibility of specific desktop applications in Advanced Cobrowse mode.

          Application masking is defined in the same file as page masking. To accurately implement application masking, process names are used to identify the applications that should be visible.

          The following .xml is an example of an application masking configuration allowing Turbotax and Quickbooks applications to be visible during a session.

          <configuration> 
          	<siteCode id="<SITE_ID>" currentState="Active"> 
          		<module id="LTB" scope="SITE"> 
          			<param id="ltb_apps"> 
          				<value text="QBW32" title="" seqId="0" />
          				<value text="quickset" title="" seqId="0" />
          				<value text="qw" title="" seqId="0" />
          				<value text="Turbotax" title="" seqId="0" />
          			</param>
          					</module> 
          	</siteCode>
          </configuration>

          To specify that the customer’s browser settings are visible to an agent during a cobrowsing session, use the following xml variable:

          <param id="ltb_show_browser_settings"> 
          	<value text="yes" title="" seqId="0" />
          </param>
          

          To specify that the content of the customer’s browser tabs are not visible to an agent during a cobrowsing session, use the following xml variable:

          <param id="ltb_show_content_only"> 
          	<value text="yes" title="" seqId="0" />
          </param>
          

            Block a Field

            Administrators can set up a Cobrowse configuration to block a field from the agent’s view.

            Field blocking protects sensitive form data from being viewed by an agent or even transmitted at all during a cobrowsing session. Field blocking is often used to protect customer privacy when fields like credit card numbers and social security numbers are visible on a page that may be cobrowsed during a customer service interaction.
            The Cobrowse system must be able to identify each field that should be blocked. The simplest and preferred method is to set up a field class attribute for blocked fields. For example, a class named “LLBlocked” can be established, where any field on a page that includes both the Cobrowse Javascript code and references this class attribute will be blocked. The xml code for this example would be:
                <tr>
                    <td class="divLabel LLBlocked">Card Number:</td>
                <td class="Field"><input name="tbAccountNumber" type="text"  
            maxlength="16" size="20" id="tbAccountNumber" /></td>
                 </tr>
            
            Note: To mask a drop down field, in addition to the field class attribute, the URL of the page with the drop down field must be configured in Cobrowse.
            A secondary method is to use the field ID. The disadvantage is that any time it is required to add a new blocked field, the ID of this field must be provided to the Configuration Administrator in order to configure it for privacy. From the example, this time the field class is not set and you would need the ID=tbAccountNumber to configure blocking:
                <tr>
                  <td class="divLabel">Card Number:</td>
                  <td class="Field"><input name="tbAccountNumber" type="text" 
            maxlength="16" size="20" id="tbAccountNumber" /></td>
                </tr>
            
            1. After writing the xml for field blocking using either a field class or field ID attribute, mark the field to be blocked with a subtle color shift for the field border and text.

              This enables the image capture algorithm to recognize that this is a blocked field. Colors are selected using a color picker, such as Eltima Software’s Absolute Color picker.
              Note: The color chosen must not be used anywhere else on the page or masking artifacts can appear. An example artifact is a masking dot where there should not be a masking symbol. It may take several tries to find a color combination that has no masking artifacts.
            2. On the Admin Console, click Products, and then select Co-browse V4 > Masking Configuration (V3/V4).

            3. Select the SiteID you are configuring page masking for.

              In the Status column, a red button indicates that a configuration file has not been uploaded and a green button indicates that a configuration file has been uploaded.
            4. Click Configure in the Field blocking row to upload a field masking configuration file.

              The page will reload.
            5. Click Choose Configuration File and browse to your configuration file in xml format.

            6. Click Save.

              The configuration file is committed. If you try to leave this page without saving your changes, a warning message appears that your changes will be lost. Once the configuration file is committed, you can view the file by clicking View configuration. If you want to delete a configuration file that has been committed, click Delete configuration.
            7. Click Deployment Instructions on the Configuration tab to see and email instructions.

              The field blocking script appears in this window as an fmset.js script and can be sent to the email you provide.
            8. Copy and paste the full text of the fmset.js <script> tag from the deployment instructions as the last element in the <head> tag on every page to be blocked or which contains fields to be blocked.

              The following is an example of a field blocking script. You will need to use your unique URL from the deployment instructions.
              <script type="text/javascript" src="https://b6ac25f4e1c9-9b11bfce.ssl.cf2.com/llscripts/fmset.js"></script>

              Mask Data Displaying in a Div Overlay

              Administrators can set up a Cobrowse configuration to block sections from the agent’s view.

              Use the LLBlocked class to block fields such as credit card numbers (see Block a Field). Use the LLPageBlocked class to block sections such as call detail. In Advanced mode, the whole page will be masked if a page section tagged with the LLPageBlocked class becomes visible. In Instant mode, only the appropriate section of the page will be masked.

              1. If the fields or sections which should be masked are added to the page after the page is loaded (for example via AJAX request) use the following JavaScript code after appropriate fields or sections are added to the page (become part of the Document Object Model (DOM):

                if (typeof LiveLookFM != "undefined") {
                      LiveLookFM.fieldMask("");
                } 
                
              2. If sections are not added dynamically but exist in the DOM and their visibility is changed via JavaScript, do one of the following:

                • To mask a section tagged with LLPageBlocked class, the element itself should include either the style property display:none; or visibility:visible; such as
                  <div class="LLPageBlocked" style="display:none;"></div>
                • To unmask a section tagged with LLPageBlocked class, the element itself should include either the style property display:block; or visibility:hidden; such as
                  <div class="LLPageBlocked" style="display:block;"></div>

                Examples: Field Blocking

                The following are example xml files for field blocking.

                Example XML file for use of field IDs to identify fields that should be masked:

                <configuration>
                <siteCode id="Example:SC43636199:AU:1" currentState="Pending">
                <module id="FM" scope="SITE">
                <param id="fm_border_color"><value text="C8DEC6" title="" seqID="0" />
                <param id="fm_text_color"><value text="0D0C24" title="" seqID="0" />
                <param id="fm_html_field_ids">
                <value text="cardNumber" title="" seqID="0" />
                <value text="cardDateMonth" title="" seqID="0" />
                <value text="cardDateYear" title="" seqID="0" />
                <value text="errorWDS_CVV" title="" seqID="0" />
                </param>
                </module>
                </siteCode>
                </configuration>

                Example XML file for use of field class attributes to identify fields that should be masked:

                <configuration>
                <siteCode id="Example:SC43636199:AU:1" currentState="Pending">
                <module id="FM" scope="SITE">
                <param id="fm_border_color"><value text="C8DEC6" title="" seqID="0" />
                <param id="fm_text_color"><value text="0D0C24" title="" seqID="0" />
                <param id="fm_html_class_name"><value text="LLBlocked" title="" seqID="0" />
                </param>
                </module>
                </siteCode>
                </configuration>

                  Masking and Blocking Configuration Variable Summary

                  The following table lists the variables that may be used to configure page blocking and field blocking.

                  Table Variables Used in Page and Field Blocking

                  Variable

                  Type

                  Description

                  ltb_apps

                  recordset

                  Applications to show

                  ltb_show_browser_settings

                  value

                  Show browser settings

                  ltb_show_content_only

                  value

                  Show browser window content only

                  ltb_urls

                  recordset

                  Browser URLs to show

                  ltb_urls_exc

                  recordset

                  Browser URLs to mask

                  ltb_urls_force_inc

                  recordset

                  Browser URLs to show even if in the mask list

                  ltb_urls_view_only_mode

                  recordset

                  Browser URLs to suspend remote control

                  ltb_view_pointer_mode

                  recordset

                  Browser URL and title pairs to allow only view and pointer mode on the page. The pair must be separated by a pipe: "URL | Title". The title can be omitted. Apace before | is required.

                  fm_border_color

                  value

                  Border color

                  fm_html_class_name

                  value

                  HTML field class name

                  fm_html_field_ids

                  recordset

                  HTML field IDs

                  fm_text_color

                  value

                  Text color

                  Configure IP Address Restrictions

                  IP restrictions restrict the range of IP addresses from which an agent can connect to a cobrowse session.

                  IP address restrictions limit agents from connecting with your customers outside of pre-defined IP addresses.
                  Note: IP restrictions are preformed at the parent company level and apply to all sub-companies and divisions.
                  1. From the Admin Console, click Company Set-up.

                  2. Click Company Configuration.

                  3. On the IP Address Restriction page, add IP restriction blocks in “slash notation” to represent the range of IP addresses to be configured: [IP address of a network] / [subnet mask number].

                    Note: The IP address of a network must be aligned to the beginning of a block (e.g., 10.0.0.0/27). Use slash 32 to configure a single IPv4 address (e.g., 192.168.0.100/32). If you get an invalid IP response when saving your IP configuration, check with your network source to ensure you have a valid IP address block.