Skip to content

Instantly share code, notes, and snippets.

@benschwarz
Created October 14, 2015 14:56
Show Gist options
  • Save benschwarz/9b4694d444096ec0a33a to your computer and use it in GitHub Desktop.
Save benschwarz/9b4694d444096ec0a33a to your computer and use it in GitHub Desktop.
Intercom CSP (Content security policy)

You'll need to add a whole slew of hosts for intercom if you've got CSP in place (which you should).

Heres what you'll need to add:

connect-src: https://api-ping.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://api-iam.intercom.io 
script-src: https://widget.intercom.io https://js.intercomcdn.com
image-src: https://js.intercomcdn.com
@benschwarz
Copy link
Author

Thanks for the updates folks!

@nsheridan
Copy link

Hi there. I've documented Intercom's recommended CSP settings: https://docs.intercom.io/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy. We'll keep the document current so if anything changes we'll publish it there and add to the changelog.
Hope this helps!

@chrhansen
Copy link

Wow https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy is a huge amount of endpoints to add to the CSP-policy. Is there any chance you guys can consider consolidating it a bit at some point? Besides a very long CSP header (for just the Intercom-plugin), I also find it a bit too permissive to whitelist so many sources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment