Hey Matt, Shaq here from the Support Engineering team😀
Intercom scripts may trigger Content-Security-Policy (CSP) warnings due to the use of the eval function, which is generally not recommended as it can increase the risk of XSS attacks. However, Intercom supports Google strict CSPv3, which includes directives that can help mitigate these risks without enabling unsafe-eval.
If you are using a strict CSP, you can include nonce-source(s) for scripts loaded by the Messenger, which allows you to maintain security without enabling unsafe-eval. Despite these warnings, the functionality of Intercom should not be affected if the CSP is configured correctly. This guide her has a little more context as well: https://www.intercom.com/help/en/articles/3894-using-intercom-with-content-security-policy
Let me know if I can clarify anything!
Hey Shaq, thanks for the answer.
Can you please give me an example of how to include nonce for script loaded by Messenger?
We’re already adding nonce to intercom script, what else can I do?
If you are using a strict CSP, you can include nonce-source(s) for scripts loaded by the Messenger, which allows you to maintain security without enabling unsafe-eval. Despite these warnings, the functionality of Intercom should not be affected if the CSP is configured correctly.
Also, what warnings here we’re talking about?
Despite these warnings, the functionality of Intercom should not be affected if the CSP is configured correctly.
Thanks
Matt
@MattWD did you find a solution to this? I’m also confused about how we’re supposed to add the nonce value to scripts loading inside their SDK code. Trying to fit Intercom under our CSP policy has been a nightmare, to say the least.
@Jordan Ramey instead of adding a nonce to the intercom scripts you add the nonce attribute and value to any script tags in your html response (matching the nonce in the script-src directive of your CSP header) and set strict-dynamic as a source expression in script-src, which propagates the trust to any script loaded by a tag or script with the nonce attribute.
I don't think it's right to have to modify all other parts of our code just to accommodate Intercom.
This seems like a negative side effect caused by Intercom prioritizing its own service,
and I believe Intercom should address this issue promptly in a future version.
@Jordan Ramey instead of adding a nonce to the intercom scripts you add the nonce attribute and value to any script tags in your html response (matching the nonce in the script-src directive of your CSP header) and set strict-dynamic as a source expression in script-src, which propagates the trust to any script loaded by a tag or script with the nonce attribute.
