Skip to main content
Answered

Is there a way to serve messenger with Content Security Policy without style-src: 'unsafe-inline'


We would need to add Content Security Policy to our application. I saw this article on Intercom Help. There it is stated to use 'unsafe-inline' but I am wondering is there a way not to use it, since we would like avoid that in our policy?

Best answer by Evan P

Hey @stefan m​, 👋 thanks for reaching out! I'm one of the Support Engineers here @ Intercom! 👍

 

Currently 'unsafe-inline' is required for various aspects of Intercom to work properly. If you choose not to include one or some of the policies listed in that article you have looked at, then Intercom will potentially not function correctly.

 

You definitely aren't the first to reach out about our CSP so I will make sure to flag this with our Product team so they aware of it. I hope this clarifies.

View original
Did this topic help you find an answer to your question?

3 replies

  • Active User
  • 32 replies
  • Answer
  • June 27, 2022

Hey @stefan m​, 👋 thanks for reaching out! I'm one of the Support Engineers here @ Intercom! 👍

 

Currently 'unsafe-inline' is required for various aspects of Intercom to work properly. If you choose not to include one or some of the policies listed in that article you have looked at, then Intercom will potentially not function correctly.

 

You definitely aren't the first to reach out about our CSP so I will make sure to flag this with our Product team so they aware of it. I hope this clarifies.


Evan P wrote:

Hey @stefan m​, 👋 thanks for reaching out! I'm one of the Support Engineers here @ Intercom! 👍

 

Currently 'unsafe-inline' is required for various aspects of Intercom to work properly. If you choose not to include one or some of the policies listed in that article you have looked at, then Intercom will potentially not function correctly.

 

You definitely aren't the first to reach out about our CSP so I will make sure to flag this with our Product team so they aware of it. I hope this clarifies.

For regulatory compliance, I have to ask, why are styles loaded this way? Is there any way to create an acceptable CSP policy that does not use “unsafe-inline”? Allowing the addition of a nonce to the generated styles would be one way.


Forum|alt.badge.img

@Chris van der Loo we were discussing the same thing here: 

 I now created an item on the Product Wishlist for this CSP/unsafe-inline issue.
Please upvote (and/or add your thoughts): 

https://community.intercom.com/ideas/enhanced-csp-compliance-eliminating-unsafe-inline-requirements-8877

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings