Hey there ​@Salim Semaoune, Emily here from Support Engineering at Intercom 👋🏼

You are correct that Intercom currently requires the use of unsafe-eval in your Content Security Policy for the Messenger widget to function. This is due to how the Intercom Messenger is loaded, and at present, there is no way to eliminate this requirement or the associated eval call in the code.

Intercom acknowledges that this is not ideal from a security perspective and understands concerns about increasing the attack surface. The security and product teams are aware of the issue and are considering ways to move away from unsafe-eval to better support strict CSP setups, but there unfortunately is no active solution as of yet. It is on our radar and we hope to make some progress on this soon.

If your reporting shows that unsafe-inline is not required, you may omit it, but unsafe-eval remains necessary for now.

Hey ​@Emilygav 

It looks like the call to eval is made by the underlying dependency to protobufjs. If that’s correct, a fix has been issued in the version 7.5.0 of the library https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.0

but it’s still not functional as the release process has failed: https://github.com/protobufjs/protobuf.js/issues/2094

It could be cool if someone at Intercom could help on the issue so that it’s solved faster.

Thank’s in advance