We need to add a Content Security Policy to our application that adheres to the following requirements:
include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent
set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains
not utilize any 'unsafe'- prefixed directives.
Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)
Best answer by Jacob Cox
Regarding the original question here is the response from the Support Team:
Yes, a default-src directive can be included in the CSP โ
Our article lists all of the domains you'd need to allow under the script and style directives
For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.
Regarding the original question here is the response from the Support Team:
Yes, a default-src directive can be included in the CSP โ
Our article lists all of the domains you'd need to allow under the script and style directives
For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.
โ@Portal Support โ@Shauna โ@Tom Cunningham โ@Tanya โ@Jacob Cox this is a security risk that has not been mitigated yet by Intercom. This is discussed in multiple threads. I created an item on the Product Wishlist for this CSP/unsafe-inline issue, to hopefully get it prioritised. Please upvote (and/or add your thoughts):
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.