Skip to content

Instantly share code, notes, and snippets.

@benschwarz
Created October 14, 2015 14:56
Show Gist options
  • Save benschwarz/9b4694d444096ec0a33a to your computer and use it in GitHub Desktop.
Save benschwarz/9b4694d444096ec0a33a to your computer and use it in GitHub Desktop.
Intercom CSP (Content security policy)

You'll need to add a whole slew of hosts for intercom if you've got CSP in place (which you should).

Heres what you'll need to add:

connect-src: https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://api-iam.intercom.io 
script-src: https://widget.intercom.io https://js.intercomcdn.com
image-src: https://js.intercomcdn.com
@camillef
Copy link

camillef commented Jan 6, 2016

Plus

media-src: https://js.intercomcdn.com

and if you want to embed any videos in your in-app messages you'll need something like

frame-src: https://www.youtube.com https://player.vimeo.com https://fast.wistia.net

@kujenga
Copy link

kujenga commented Jun 28, 2016

For profile images, I found the following to be necessary within img-src:

https://static.intercomassets.com

As well as the following within media-src for audio files:

https://js.intercomcdn.com

@benschwarz
Copy link
Author

Thanks for the updates folks!

@nsheridan
Copy link

Hi there. I've documented Intercom's recommended CSP settings: https://docs.intercom.io/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy. We'll keep the document current so if anything changes we'll publish it there and add to the changelog.
Hope this helps!

@chrhansen
Copy link

Wow https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy is a huge amount of endpoints to add to the CSP-policy. Is there any chance you guys can consider consolidating it a bit at some point? Besides a very long CSP header (for just the Intercom-plugin), I also find it a bit too permissive to whitelist so many sources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment