← Case studies
Ask Me Bot Case Study # 2: Safe Single-Script Embed
Workbot covered widget token security and rate limiting. This one goes at the problem from a completely different angle: what does the embed script itself do to the host website. A naive script injection runs with full page access, blocks rendering, and breaks strict Content Security Policies. The solution was a sandboxed iframe architecture where every line of widget code runs on Askme Bot's own origin with no host page access whatsoever, an async deferred loader that adds zero render blocking, documented CSP directives for security-conscious sites, and a narrow postMessage interface for the integration hooks host pages legitimately need without opening the widget's internals to host page JavaScript.