We need to add a Content Security Policy to our application that adheres to the following requirements:include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains not utilize any 'unsafe'- prefixed directives.Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)

How to implement CSP with Intercom?

We need to add a Content Security Policy to our application that adheres to the following requirements:

include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent
set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains
not utilize any 'unsafe'- prefixed directives.

Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)

Page 1 / 1

Would love to have feedback on if there is a way to implement this CSP - anyone knows or has an idea?

Hey @Portal Support Shauna here from Support!

I’ve gone ahead and opened a conversation with one of our support engineers to help you with this

They’ll be in touch with you soon!

Will update this thread with information as soon as this is resolved with support!

Hey @Portal Support Shauna here from Support!

I’ve gone ahead and opened a conversation with one of our support engineers to help you with this

They’ll be in touch with you soon!

Will update this thread with information as soon as this is resolved with support!

Any updates on this? I’m in a similar boat. Adding 100+ hashes that won’t survive an update isn’t a sustainable strategy.

Experiencing the same issue. Help article seems to be out of date too.
Can we get an update on this?

Regarding the original question here is the response from the Support Team:

Yes, a default-src directive can be included in the CSP

Our article lists all of the domains you'd need to allow under the script and style directives
For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.

Reply

Join the Intercom Community 🎉

Intercom Customers and Employees

Login to the community

Intercom Customers and Employees

Scanning file for viruses.

This file cannot be downloaded