Enhanced CSP Compliance: eliminating 'unsafe-inline' requirements | Community
Skip to main content
Submitted

Enhanced CSP Compliance: eliminating 'unsafe-inline' requirements

Related products:Security & Compliance
  • January 16, 2025
  • 8 replies
  • 127 views
G
Forum|alt.badge.img+1

For security (but in our case also regulatory requirements) we need to strictly adherence to secure Content Security Policies (CSP). Currently, Intercom requires the use of unsafe-inline for styles in the style-src directive, which undermines security and fails to meet compliance standards.

We propose a solution that ensures Intercom can function seamlessly without requiring unsafe-inline by introducing nonce support for inline styles or externalizing injected styles.

Possible solutions:

  • Nonce Support for Inline Styles:
    Allow Intercom to detect and apply CSP nonces from the host application’s CSP configuration. Use the nonce value specified in the CSP meta tag or header for all dynamically injected styles, ensuring compatibility without sacrificing security.
  • Externalization of Injected Styles:
    Intercom-generated inline styles are automatically converted into external stylesheets hosted on Intercom's CDN. The external stylesheets can then be whitelisted in the CSP using specific domains (e.g., https://*.intercomcdn.com).

8 replies

mateusz.leszkiewicz
Intercom Team
Forum|alt.badge.img+7

Here is an explanation of why we decide to keep unsafe-inline-src in our system as Intercom.

 

 

Mateusz Leszkiewicz | Technical Support Engineer
G
Forum|alt.badge.img+1

Thanks, I replied to your explanation there and hope for reconsideration (or more community support to show our shared needs).

W
  • Will Wedmedyk
  • New Participant
  • February 25, 2025

@mateusz.leszkiewicz Here are some reasons why leaving unsafe-inline is a security threat: 

  • Allows inline styles (<style> tags and style attributes on elements).
  • Can be exploited for CSS-based attacks, such as injecting malicious styles to alter the UI for phishing or clickjacking.
  • Potentially enables UX- based attacks, where malicious styles can hide security warnings or mislead users into performing unintended actions.

can this be prioritized to be fixed so we don’t have to have security vulnerabilities when using intercom? 

mateusz.leszkiewicz
Intercom Team
Forum|alt.badge.img+7

Hi ​@Will Wedmedyk 

I’ve already addressed those questions in this post.

 

Mateusz Leszkiewicz | Technical Support Engineer
W
  • Will Wedmedyk
  • New Participant
  • February 26, 2025

@mateusz.leszkiewicz Ive upvoted this change, what else can we do to ensure that this gets fixed? 

mateusz.leszkiewicz
Intercom Team
Forum|alt.badge.img+7

@Will Wedmedyk at this point the only thing to do is to wait. I’ve already flagged this issue with our Security Team and have passed their current stand.
If this will be upvoted they will have to reconsider their position towards this issue.

Mateusz Leszkiewicz | Technical Support Engineer
W
  • Will Wedmedyk
  • New Participant
  • February 26, 2025

@mateusz.leszkiewicz How many votes are required to have them change their position? 

mateusz.leszkiewicz
Intercom Team
Forum|alt.badge.img+7

@Will Wedmedyk it depends of the overall Wishlist activity. 
The Feature Request with the biggest number of votes get introduced. Please refer to the product wishlist guide here.

Mateusz Leszkiewicz | Technical Support Engineer
Terms & ConditionsAccessibility statement