intercom-rails
intercom-rails copied to clipboard
Published
20 hours ago •
intercom
intercom
CDATA in intercom_script_tag results in the csp_sha256 mismatch and a failing CSP
Version info
- intercom-rails version: 0.4.2
- Rails version: 7.0.5
Expected behavior
Both should be true depending on how you use intercom-rails:
- If doing manual insertion with
intercom_script_tag: Theintercom_script_tag.csp_sha256should match the hash of the script injected into the HTML - If doing automatic insertion: The
sha256in the hook described in the CSP section of the readmedef self.csp_sha256_hook(controller, sha256)should match the hash of the script injected into the HTML
Actual behavior
The browser reports
Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.
There are CDATA tags surrounding the script resulting in the hash generated by intercom-rails not matching the browser's hash of the script:
I verified that if I take a manual sha256 hash with the CDATA tags included it does match the hash reported by the browser.
Steps to reproduce
- Configure standard
intercom-railsintegration - Enable rails CSP and set
config.content_security_policy_report_only = false - Setup the Content Security Policy hooks for sha256 header appending
- Load the app and notice the browser reports it cannot execute the intercom script
Logs
Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.
@shivam-chahar a simple solution I used is taking the hash manually of intercom_script_tag and adding it to my CSP.