Security Considerations
Ensuring the security and privacy of user data is a top priority for Cisco. This page describes how Cisco In-Product Support protects user sessions and browsing data when delivered through the Cisco Support Assistant Extension or through native embed within supported Cisco product portals.
Secure Development Lifecycle (CSDL) Alignment
Cisco In-Product Support is developed in accordance with the Cisco Secure Development Lifecycle (CSDL), which applies security practices throughout design, development, testing, and deployment.
Key controls include:
- Privacy and data-handling compliance: The solution follows Cisco privacy requirements and internal data protection standards.
- Secure-by-design implementation: Security requirements are built into the product lifecycle, including code reviews and security validation activities.
- Handling Unsupported Products: When the extension detects a product that is not supported, it documents itself as "product not supported" on the browser session. This prevents any unauthorized or unintended interactions that could compromise security.
Delivery Models
Cisco In-Product Support can be delivered in two ways:
- Cisco Support Assistant Extension (browser extension)
- Native embed (in-product delivery)
Both models are designed to operate only in approved Cisco product contexts and follow least-privilege principles.
A. Cisco Support Assistant Extension
Supported Product Detection
The extension uses product detection logic to identify whether the current page belongs to a supported Cisco product portal.
- If the product is supported, In-Product Support features are enabled.
- If the product is not supported, the extension records the session as "product not supported" and does not activate In-Product Support functionality.
This prevents unintended behavior on unsupported or unrelated sites.
Authentication and Access Control
In-Product Support features are available only when the user is authenticated using a valid Cisco.com ID, ensuring that functionality is limited to authorized users within Cisco product portals.
Session and Browsing Data Protection
- The extension is scoped to operate only within supported Cisco product portals.
- It does not collect or store browsing data from unrelated websites.
No Debugger Permissions Required
Cisco In-Product Support no longer relies on Chrome debugger capabilities. Chrome installation warnings related to debugger permissions are not applicable to the current implementation.
B. Native Embed
Native embed enables Cisco In-Product Support to run directly within a supported product portal without requiring a browser extension.
Security Boundaries
- Native embed inherits the hosting product's security controls, including origin restrictions, authentication, and authorization.
- The embedded experience runs only within the supported product environment.
Content Security Policy (CSP)
Native embed operates under the product portal's Content Security Policy (CSP). If CSP rules are overly restrictive, they may need to be updated to allow required In-Product Support resources to load securely. This helps prevent issues such as blocked scripts while maintaining protections against attacks like cross-site scripting (XSS).
Transparency and User Control
- Users can disable the extension at any time using browser extension controls.
- In-Product Support functionality is intentionally limited to supported Cisco product portals to ensure safe and predictable operation.
By integrating these operational practices into the existing security model, we ensure that the platform is not only engineered for security from the ground up, but also operated, audited, and governed in a way that meets Cisco's global security and compliance standards.
If you have any concerns about security or data handling by the extension, contact us using the Contact option in the navigation bar.