We would need to add Content Security Policy to our application. I saw this article on Intercom Help. There it is stated to use 'unsafe-inline' but I am wondering is there a way not to use it, since we would like avoid that in our policy?
Is there a way to serve Intercom with Content Security Policy without style-src: 'unsafe-inline'
Best answer by mateusz.leszkiewicz
Hi
You're correct that 'unsafe-inline'
applies globally and cannot be restricted to a specific domain like Intercom. While 'sha256-<hash>'
is a better alternative for inline styles, its dynamic nature can indeed pose challenges if the styles change frequently.
Here are some additional thoughts and strategies you might find useful:
1. Dynamic Hash Automation
If you control the server setup and can dynamically generate the CSP header, you could:
- Monitor the inline styles injected by Intercom.
- Dynamically compute their hash at runtime.
- Add the computed hash to your
style-src
directive.
This approach requires server-side scripting and might be complex to implement, but it avoids 'unsafe-inline'
.
2. Proxy Inline Styles
Another workaround is intercepting Intercom's inline styles via a CSP-compatible middleware that rewrites them into external stylesheets hosted on your server. Then, whitelist this external stylesheet in your CSP.
Challenges:
- This requires monitoring changes to the injected styles.
- It adds maintenance overhead.
3. Use an Allowlist for Trusted Intercom Styles
If you find that Intercom's styles remain stable over time, you can curate an allowlist of hashes for all currently injected styles. Add these hashes to your CSP
.
Example:
style-src 'self' 'sha256-<hash1>' 'sha256-<hash2>' https://*.intercomcdn.com;
Caveat: Maintenance is required if Intercom updates their injected styles.
4. Request Intercom to Support Nonces
Since Intercom doesn’t natively support nonce
, you could escalate this as a feature request to their support. It’s a known limitation, and many other third-party providers already offer this functionality.
Nonces would allow injected styles to be safely tied to your CSP configuration, ensuring security without relying on 'unsafe-inline'
.
Pragmatic Recommendation
If the above approaches aren't feasible:
- Use
'unsafe-inline'
temporarily but restrict it to thestyle-src
directive. - Monitor the Intercom roadmap for updates or engage their support for best practices.
Example CSP:
script-src 'self' 'nonce-<your-nonce>' https://*.intercomcdn.com https://*.intercom.io;
style-src 'self' 'unsafe-inline' https://*.intercomcdn.com;
This strikes a balance between functionality and security while awaiting a more robust solution.
Reply
Join the Intercom Community 🎉
Already have an account? Login
Login to the community
No account yet? Create an account
Intercom Customers and Employees
Log in with SSOEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.