Skip to main content
Answered

How to integrate intercom with CSP nonce-value

  • February 20, 2025
  • 2 replies
  • 67 views
W

Im generating a nonce-value on my CSP Header using netlify, and while Im seeing in my CSP header that the nonce-value is set, when inspecting the HTML, intercoms script tag does not contain the nonce value. 

Can someone provide some insight into how to get intercom to initialize with the CSP Headers nonce value, or is that not possible? 

Best answer by Diogo Silva

Hello ​@Will Wedmedyk 
From my understanding, to initialize Intercom with the CSP header nonce value in Netlify, you need to ensure you are using Google's CSPv3 and including nonce sources for the scripts loaded by Messenger, something like this:
• Use Google's strict CSP policy:
Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'self';
• Include nonce fonts for Messenger scripts.
• If you need help with handling nonces, see Google's tutorial on CSP.
If you cannot use CSPv2 or v3 features, consider using origin allowlisting with the relevant directives for Intercom.

I hope this helps you :)

View original
    Did this topic help you find an answer to your question?

    2 replies

    Diogo Silva
    Innovator ✨
    Forum|alt.badge.img+2
    • Diogo Silva
    • Innovator ✨
    • 26 replies
    • Answer
    • February 20, 2025

    Hello ​@Will Wedmedyk 
    From my understanding, to initialize Intercom with the CSP header nonce value in Netlify, you need to ensure you are using Google's CSPv3 and including nonce sources for the scripts loaded by Messenger, something like this:
    • Use Google's strict CSP policy:
    Content-Security-Policy:
      object-src 'none';
      script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
      base-uri 'self';
    • Include nonce fonts for Messenger scripts.
    • If you need help with handling nonces, see Google's tutorial on CSP.
    If you cannot use CSPv2 or v3 features, consider using origin allowlisting with the relevant directives for Intercom.

    I hope this helps you :)

    WhatsApp: +55 (45) 99812-7217 | Telefone +55 (11) 5026-3365 | www.nortrez.com
    W
    • Will Wedmedyk
    • Author
    • New Participant
    • 4 replies
    • February 20, 2025

    Yes i saw that in the article about integrating intercom with a CSP. The issue is that i do have the nonce present in my CSP, but its not being included in the intercom <script> tag when i look at the HTML. I was under the impression that this would work out of the box, but is there some configuration option im missing to have this populated on the script and styles tags? 

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings