Hello,

Based on the documentation (https://www.intercom.com/help/en/articles/3894-using-intercom-with-content-security-policy), it appears that both unsafe-inline and unsafe-eval need to be added to our Content Security Policy in order for the JavaScript widget to function.

From a security perspective, this raises serious concerns, as it increases the attack surface. Our reporting endpoint shows that unsafe-inline isn’t actually required by your code, but unsafe-eval is being triggered in the vendors-app-modern.js file at the following line:

var mod = eval("quire".replace(/^/, "re"))(moduleName);

Is there any way to eliminate this eval call? If not, we may need to reconsider our use of Intercom due to these security implications.

Best regards,

Salim