You'll need to add a whole slew of hosts for intercom if you've got CSP in place (which you should).
Heres what you'll need to add:
connect-src: https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://api-iam.intercom.io
script-src: https://widget.intercom.io https://js.intercomcdn.com
image-src: https://js.intercomcdn.com
For profile images, I found the following to be necessary within img-src:
https://static.intercomassets.com
As well as the following within media-src for audio files:
https://js.intercomcdn.com
Thanks for the updates folks!
Hi there. I've documented Intercom's recommended CSP settings: https://docs.intercom.io/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy. We'll keep the document current so if anything changes we'll publish it there and add to the changelog.
Hope this helps!
Wow https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy is a huge amount of endpoints to add to the CSP-policy. Is there any chance you guys can consider consolidating it a bit at some point? Besides a very long CSP header (for just the Intercom-plugin), I also find it a bit too permissive to whitelist so many sources.
Plus
and if you want to embed any videos in your in-app messages you'll need something like