intercom-rails icon indicating copy to clipboard operation
intercom-rails copied to clipboard
verified publisher icon intercom

Please don't monkeypatch

Open amingilani opened this issue 9 years ago • 3 comments

Please don't monkey patch, a better way to add a nonce for twitter/secureheaders is by using the content_security_policy_nonce(:script) helper. I advise a documentation update.

amingilani avatar Sep 22 '16 18:09 amingilani

hey! can you provide more infos about this ? What part of the documentation do you want to update ?

kant01ne avatar Sep 22 '16 21:09 kant01ne

Sure! i may have commented on this prematurely, but I've achieved intercom's secure-mode running on my app with Twitter Secure Headers by doing the following, which can totally be awesome if added to the docs.

I'm running secure_headers (3.4.0) and intercom-rails (0.3.2)

Improvement

The existing method outlines monkey patching, which is not a recommended way to do anything in Rails, especially since it monkey patches this gem itself.

In my application layout:

<% if user_signed_in? %>
<%= intercom_script_tag({
  :app_id => 'app-id',
  :user_id => current_user.id,
  :email => current_user.email,
  :name => current_user.name,
  :created_at => current_user.created_at
}, {
  :secret => Rails.application.secrets.intercom_secure_mode_secret_key,
  :widget => {:activator => '#Intercom'},
  :nonce => content_security_policy_nonce(:script)
}) %>
<% else %>
<%= intercom_script_tag({
  :app_id => 'qvnmie0g',
}, {
  :secret => 'your-apps-api-secret',
  :widget => {:activator => '#Intercom'},
  :nonce => content_security_policy_nonce(:script)
}) %>
<% end %>

Missing

Also, the documentation misses this out, but I had to whitelist wss://*.intercom.io *.intercom.io *.intercomcdn.com in my sources to get the intercom script to work, here's my CSP config.

SecureHeaders::Configuration.default do |config|
  config.csp = {
    report_only: !Rails.env.production?, # default: false
    preserve_schemes: true, # default: false.


    default_src: %w('none'), # nothing allowed
    font_src: %w('self' fonts.gstatic.com *.intercom.io *.intercomcdn.com),
    script_src: %w('self' www.google-analytics.com *.intercom.io *.intercomcdn.com),
    connect_src: %w('self' wss://*.intercom.io *.intercom.io *.intercomcdn.com),
    img_src: %w('self' www.google-analytics.com),
    style_src: %w('unsafe-inline' 'self' fonts.googleapis.com,),
    report_uri: ['https://payload.report-uri.io/r/default/csp/enforce']
  }
end

amingilani avatar Sep 23 '16 06:09 amingilani

+1 to @amingilani. I followed the above steps and they worked great.

adenta avatar Jan 16 '18 21:01 adenta