Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDATA in intercom_script_tag results in the csp_sha256 mismatch and a failing CSP #342

Open
baueric opened this issue Jun 27, 2023 · 3 comments
Open

CDATA in intercom_script_tag results in the csp_sha256 mismatch and a failing CSP #342

baueric opened this issue Jun 27, 2023 · 3 comments

Comments

@baueric
Copy link

baueric commented Jun 27, 2023
edited
Loading

Version info

  • intercom-rails version: 0.4.2
  • Rails version: 7.0.5

Expected behavior

Both should be true depending on how you use intercom-rails:

  1. If doing manual insertion with intercom_script_tag: The intercom_script_tag.csp_sha256 should match the hash of the script injected into the HTML
  2. If doing automatic insertion: The sha256 in the hook described in the CSP section of the readme def self.csp_sha256_hook(controller, sha256) should match the hash of the script injected into the HTML

Actual behavior

The browser reports

Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.

There are CDATA tags surrounding the script resulting in the hash generated by intercom-rails not matching the browser's hash of the script:

Screenshot 2023-06-27 at 13 02 25

I verified that if I take a manual sha256 hash with the CDATA tags included it does match the hash reported by the browser.

Steps to reproduce

  1. Configure standard intercom-rails integration
  2. Enable rails CSP and set config.content_security_policy_report_only = false
  3. Setup the Content Security Policy hooks for sha256 header appending
  4. Load the app and notice the browser reports it cannot execute the intercom script

Logs

Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.
@baueric baueric changed the title CDATA in intercom_script_tag results in the csp_sha256 not matching and a failing CSP CDATA in intercom_script_tag results in the csp_sha256 mismatch and a failing CSP Jun 28, 2023
@shivam-chahar
Copy link

I'm facing the same issue, @baueric were you able to resolve this?

@baueric
Copy link
Author

baueric commented Aug 14, 2023

@shivam-chahar a simple solution I used is taking the hash manually of intercom_script_tag and adding it to my CSP.

@shivam-chahar
Copy link

@baueric Thanks, Eric. I'll try that out 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@baueric @shivam-chahar