Intercom

CSP for Intercom

support
crm
chat
Add Package to Your CSP

Using Intercom with Content Security Policy

Intercom is a great support tool (we aslo use it at RapidSec), but it has a complex UI architechture that is hard to configure with CSP. Note, that you should use RapidSec's version of CSP, and not the version on the official docs (which lacks some directives).

Allow these directives in your CSP, to support Intercom in your Content Security Policy:

script-src
  https://js.intercomcdn.com
  https://widget.intercom.io
  https://app.intercom.io;
style-src
  'unsafe-inline';
frame-src
  www.intercom-reporting.com;
child-src
  www.intercom-reporting.com
  intercom-sheets.com
  www.youtube.com
  player.vimeo.com
  fast.wistia.net;
img-src
  data:
  blob:
  static.intercomassets.com
  *.intercomcdn.com
  *.intercom-mail.com
  *.intercom.io
  *.intercomusercontent.com
  {{workspaceName}}.intercom-attachments-1.com
  {{workspaceName}}.intercom-attachments-2.com
  {{workspaceName}}.intercom-attachments-3.com
  {{workspaceName}}.intercom-attachments-4.com
  {{workspaceName}}.intercom-attachments-5.com
  {{workspaceName}}.intercom-attachments-6.com
  {{workspaceName}}.intercom-attachments-7.com
  {{workspaceName}}.intercom-attachments-8.com
  {{workspaceName}}.intercom-attachments-9.com;
font-src
  js.intercomcdn.com
  fonts.intercomcdn.com;
connect-src
  *.intercom.io
  wss://*.intercom.io
  uploads.intercomcdn.com
  uploads.intercomusercontent.com;
form-action
  api-iam.intercom.io
  intercom.help;
media-src
  js.intercomcdn.com;

The main domains used by Intercom are:

intercomassets.com
intercom.io
intercomcdn.com
intercom-attachments-7.com
intercom-attachments-1.com
intercom-mail.com
intercom-reporting.com
intercom-mail-200.com

Example Content-Security-Policy violations / reports:

Using the above CSP package, will fix these errors that you may be seeing in your console logs:

script-src/script-src-elem/script-src-attrviolations

Refused to load the script 'https://widget.intercom.io/widget/*' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

If you see inline script errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.

If you see inline eval() errors, RapidSec will generate your CSP with the specific content of the errors:

Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'report-sample'".

style-src/style-src-elem/style-src-attrviolations

Refused to load the stylesheet 'intercomassets.com' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.

font-srcviolations

Refused to load the font 'https://js.intercomcdn.com/fonts/proximanova-regular.*.woff' because it violates the following Content Security Policy directive: "font-src 'self'"

img-srcviolations

Refused to load the image 'intercomassets.com' because it violates the following Content Security Policy directive: "img-src 'self'".

frame-srcviolations

[Report Only] Refused to frame 'intercomassets.com' because it violates the following Content Security Policy directive: "frame-src 'self'".

form-actionviolations

[Report Only] Refused to send form data to 'intercomassets.com' because it violates the following Content Security Policy directive: "form-action 'self'".

connect-srcviolations

[Report Only] Refused to connect to 'intercomassets.com' because it violates the following Content Security Policy directive: "connect-src 'self'"