benschwarz/README.md

Created October 14, 2015 14:56

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/benschwarz/9b4694d444096ec0a33a.js"></script>
Save benschwarz/9b4694d444096ec0a33a to your computer and use it in GitHub Desktop.

Download ZIP

Intercom CSP (Content security policy)

Raw

README.md

You'll need to add a whole slew of hosts for intercom if you've got CSP in place (which you should).

Heres what you'll need to add:

connect-src: https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://api-iam.intercom.io 
script-src: https://widget.intercom.io https://js.intercomcdn.com
image-src: https://js.intercomcdn.com

chrhansen commented Sep 20, 2016

Wow https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy is a huge amount of endpoints to add to the CSP-policy. Is there any chance you guys can consider consolidating it a bit at some point? Besides a very long CSP header (for just the Intercom-plugin), I also find it a bit too permissive to whitelist so many sources.