CSP require-trusted-types-for 'script' header issue | Community
Skip to main content

Hi team,

We're implementing the require-trusted-types-for 'script'; header in our app and have set up a default Trusted Types policy. However, the Intercom widget script fails on the following line:

e.documentElement.innerHTML = t,
with
Uncaught TypeError: Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.
 

Has anyone encountered this issue before? Any suggestions on how to work around it while keeping Trusted Types enforcement?

Thanks!


 

@nikosp  I’m wondering if you’ve looked at the details here in the article about Using Intercom with CSP , this seems like it should help identify the Intercom domains as safe but not sure if it resolves the InnerHTML issue. 

If not, please report back here so the Intercom team can have a look into the issue further. 

I did see others having this issue with other frameworks and apps using InnerHTML, there may be ways around it but potentially those are not as safe so hopefully this solution from Intercom will help or they can update it with more info for Trusted Types as well. 

Hope this helps!


@Nathan Sudds Thanks for the response,
I have read the article about using Intercom with CSP, but unfortunately, it does not address my issue.

The problem occurs because require-trusted-types-for 'script'; enforces Trusted Types, as a result direct string assignments to innerHTML (like e.documentElement.innerHTML = t) fail.


@nikosp this may be something the Intercom team need to address then and maybe update the article as well. 

 

In case it's helpful, I also sent you a DM with some potential solutions that I'm not 100% sure about so not posting them here in the community directly at the moment.  

 

 


Reply