We need to add a Content Security Policy to our application that adheres to the following requirements:include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains not utilize any 'unsafe'- prefixed directives.Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)

Answered

How to implement CSP with Intercom?

5 months ago
3 November 2023
5 replies
143 views

Portal Support
New Participant
1 reply

We need to add a Content Security Policy to our application that adheres to the following requirements:

include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent
set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains
not utilize any 'unsafe'- prefixed directives.

Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)

icon

Best answer by Shauna 14 November 2023, 13:41

View original

5 replies

Portal Support
Author
New Participant
1 reply
5 months ago
8 November 2023

Would love to have feedback on if there is a way to implement this CSP - anyone knows or has an idea?

Userlevel 3

Shauna
Community Manager
159 replies
5 months ago
14 November 2023
Answer

Hey @Portal Support 👋🏼 Shauna here from Support!

I’ve gone ahead and opened a conversation with one of our support engineers to help you with this 👍🏼

They’ll be in touch with you soon!

Will update this thread with information as soon as this is resolved with support!

Hey @Portal Support 👋🏼 Shauna here from Support!

I’ve gone ahead and opened a conversation with one of our support engineers to help you with this 👍🏼

They’ll be in touch with you soon!

Will update this thread with information as soon as this is resolved with support!

Any updates on this? I’m in a similar boat. Adding 100+ hashes that won’t survive an update isn’t a sustainable strategy.

Experiencing the same issue. Help article seems to be out of date too.
Can we get an update on this?

Userlevel 4

Jacob Cox
Sr. Technical Support Engineer
429 replies
14 days ago
14 April 2024

Regarding the original question here is the response from the Support Team:

Yes, a default-src directive can be included in the CSP ✅

Our article lists all of the domains you'd need to allow under the script and style directives
For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.

Reply

Join the Intercom Community 🎉

Intercom Customers and Employees

Login to the community

Intercom Customers and Employees

Scanning file for viruses.

This file cannot be downloaded