Last active
September 4, 2020 05:57
-
-
Save thewheat/c09bb4e9dd01e8f583bb5446c9f0ceee to your computer and use it in GitHub Desktop.
Test Intercom Content Security Policy as per https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$random = rand(); | |
$date = date('Y-m-d H:i:s'); | |
$report_to_file = true; | |
$report_page = "./csp.php?report=1"; | |
$report_file_name = "report.txt"; | |
$intercom_app_id = "YOUR_APP_ID"; | |
$config = [ | |
'report' => (@$_GET['report'] == "1"), | |
'usemeta' => (@$_GET['usemeta'] == "1"), | |
'v2' => (@$_GET['v2'] == "1"), | |
'reportonly' => (@$_GET['reportonly'] == "1"), | |
]; | |
if($config['report']){ | |
$data = $date . ": " . $random . " | " . file_get_contents("php://input") . "\n"; | |
if($report_to_file) | |
file_put_contents($report_file_name, $data, FILE_APPEND); | |
die(); | |
} | |
$report_page_policy = ($config["usemeta"] ? "" : "report-uri $report_page;"); | |
$v3 = "". | |
" object-src 'none'; " . | |
$report_page_policy . | |
" script-src 'nonce-" . $random . "' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; " . | |
" base-uri 'self'; " . | |
""; | |
$v2 = "". | |
$report_page_policy . | |
"connect-src " . | |
" https://api.intercom.io " . | |
" https://api-iam.intercom.io " . | |
" https://api-ping.intercom.io " . | |
" https://nexus-websocket-a.intercom.io " . | |
" https://nexus-websocket-b.intercom.io " . | |
" https://nexus-long-poller-a.intercom.io " . | |
" https://nexus-long-poller-b.intercom.io " . | |
" wss://nexus-websocket-a.intercom.io " . | |
" wss://nexus-websocket-b.intercom.io " . | |
" https://uploads.intercomcdn.com " . | |
" https://uploads.intercomusercontent.com " . | |
" https://app.getsentry.com " . | |
"; " . | |
"child-src " . | |
" https://share.intercom.io " . | |
" https://intercom-sheets.com " . | |
" https://www.youtube.com " . | |
" https://player.vimeo.com " . | |
" https://fast.wistia.net " . | |
"; " . | |
"font-src " . | |
" https://js.intercomcdn.com " . | |
"; " . | |
"media-src " . | |
" https://js.intercomcdn.com " . | |
"; " . | |
"img-src " . | |
" data: " . | |
" https://js.intercomcdn.com " . | |
" https://static.intercomassets.com " . | |
" https://downloads.intercomcdn.com " . | |
" https://uploads.intercomusercontent.com " . | |
" https://gifs.intercomcdn.com " . | |
"; " . | |
"script-src " . | |
" https://app.intercom.io " . | |
" https://widget.intercom.io " . | |
" https://js.intercomcdn.com " . | |
" 'nonce-" . $random . "' " . // added line to allow inline script at bottom of page to run | |
"; " . | |
"style-src " . | |
" 'unsafe-inline' " . | |
""; | |
$type = $config["reportonly"] ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"; | |
$policy = ($config["v2"] ? $v2 : $v3); | |
if(!$config["usemeta"]) header($type . ":" . $policy); | |
?><html> | |
<head> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
<?php if($config["usemeta"]) : ?> | |
<meta http-equiv="<?php echo $type ?>" content="<?php echo $policy ?>"> | |
<?php endif; ?> | |
</head> | |
<body> | |
<h1>Intercom CSP test page</h1> | |
<p><a href="https://docs.intercom.com/configure-intercom-for-your-product-or-site/staying-secure/using-intercom-with-content-security-policy">Source article/configuration</a></p> | |
<?php | |
$url = $_SERVER['PHP_SELF']; | |
parse_str($_SERVER['QUERY_STRING'], $query); | |
?> | |
<div> | |
<?php $tmp = $query; $tmp['v2'] = !$tmp['v2']; ?> | |
<a class="button" href="<?php echo "$url?" . http_build_query($tmp) ?>">Toggle version</a> currently | |
<?php if($config["v2"]) : ?> | |
V1/V2 | |
<?php else : ?> | |
V3 | |
<?php endif; ?> | |
</div> | |
<div> | |
<?php $tmp = $query; $tmp['usemeta'] = !$tmp['usemeta']; ?> | |
<a class="button" href="<?php echo "$url?" . http_build_query($tmp) ?>">Toggle using meta</a> currently | |
<?php if($config["usemeta"]) : ?> | |
YES | |
<?php else : ?> | |
NO | |
<?php endif; ?> | |
</div> | |
<div> | |
<?php $tmp = $query; $tmp['reportonly'] = !$tmp['reportonly']; ?> | |
<a class="button" href="<?php echo "$url?" . http_build_query($tmp) ?>">Toggle report</a> currently | |
<?php if($config["reportonly"]) : ?> | |
reportonly | |
<?php else : ?> | |
enforced | |
<?php endif; ?> | |
</div> | |
<h2>Policy in use</h2> | |
<pre><?php echo str_replace("wss://", "\n wss://", | |
str_replace("http://", "\n http://", | |
str_replace("https://", "\n https://", | |
str_replace(";", ";\n\n", $policy)))); ?></pre> | |
<script type="text/javascript" nonce="<?php echo $random ?>"> | |
var APP_ID = "<?php echo $intercom_app_id ?>"; | |
(function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true; | |
s.src='https://widget.intercom.io/widget/'+APP_ID;var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}}})() | |
window.intercomSettings = {app_id: APP_ID}; | |
</script> | |
</div> | |
</div> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Successful
Sample error