Remove unsafe-eval and unsafe-inline from script-src | Community
Skip to main content

Remove unsafe-eval and unsafe-inline from script-src

  • September 23, 2025
  • 3 replies
  • 135 views
S

Hello,

Based on the documentation (https://www.intercom.com/help/en/articles/3894-using-intercom-with-content-security-policy), it appears that both unsafe-inline and unsafe-eval need to be added to our Content Security Policy in order for the JavaScript widget to function.

From a security perspective, this raises serious concerns, as it increases the attack surface. Our reporting endpoint shows that unsafe-inline isn’t actually required by your code, but unsafe-eval is being triggered in the vendors-app-modern.js file at the following line:

var mod = eval("quire".replace(/^/, "re"))(moduleName);

Is there any way to eliminate this eval call? If not, we may need to reconsider our use of Intercom due to these security implications.

Best regards,

Salim

September 26, 2025

Hey there ​@Salim Semaoune, Emily here from Support Engineering at Intercom 👋🏼

 

You are correct that Intercom currently requires the use of unsafe-eval in your Content Security Policy for the Messenger widget to function. This is due to how the Intercom Messenger is loaded, and at present, there is no way to eliminate this requirement or the associated eval call in the code.

Intercom acknowledges that this is not ideal from a security perspective and understands concerns about increasing the attack surface. The security and product teams are aware of the issue and are considering ways to move away from unsafe-eval to better support strict CSP setups, but there unfortunately is no active solution as of yet. It is on our radar and we hope to make some progress on this soon.

 

If your reporting shows that unsafe-inline is not required, you may omit it, but unsafe-eval remains necessary for now.

3 replies

Emilygav
Intercom Team
Forum|alt.badge.img+6
  • EmilygavIntercom Team
  • Intercom Team
  • 161 replies
  • September 26, 2025

Hey there ​@Salim Semaoune, Emily here from Support Engineering at Intercom 👋🏼

 

You are correct that Intercom currently requires the use of unsafe-eval in your Content Security Policy for the Messenger widget to function. This is due to how the Intercom Messenger is loaded, and at present, there is no way to eliminate this requirement or the associated eval call in the code.

Intercom acknowledges that this is not ideal from a security perspective and understands concerns about increasing the attack surface. The security and product teams are aware of the issue and are considering ways to move away from unsafe-eval to better support strict CSP setups, but there unfortunately is no active solution as of yet. It is on our radar and we hope to make some progress on this soon.

 

If your reporting shows that unsafe-inline is not required, you may omit it, but unsafe-eval remains necessary for now.

S
  • Salim Semaoune
  • Author
  • New Participant
  • 2 replies
  • September 29, 2025

Hey ​@Emilygav 

It looks like the call to eval is made by the underlying dependency to protobufjs. If that’s correct, a fix has been issued in the version 7.5.0 of the library https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.0

but it’s still not functional as the release process has failed: https://github.com/protobufjs/protobuf.js/issues/2094

It could be cool if someone at Intercom could help on the issue so that it’s solved faster.

Thank’s in advance

K
  • Kit Engineering
  • New Participant
  • 1 reply
  • October 27, 2025

Hi team, throwing in another vote for this issue to be looked at. Thanks.


Terms & ConditionsAccessibility statement