Web Widget violates CSP

I am experiencing the exact same issue using the recommended setup.

Below is a copy of the snippet as it is implemented on my site, where "random-csp-nonce" is being generated by my server:

<!-- Start of greenbuildingregistry Zendesk Widget script -->
<script id="ze-snippet" src="https://static.zdassets.com/ekr/snippet.js?key=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" nonce="random-csp-nonce"> </script>
<!-- End of greenbuildingregistry Zendesk Widget script -->

The error appears as: "Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxxxxxxxxxxxxxxxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution." With a reference to web-widget-218-a0e6bddf78f556c0ba98.js:2

Just adding my voice as I'm currently experiencing what seems to be the same issue as Fable.

Your documentation suggests adding "unsafe-inline" to our content security policy, but is there another solution, suitable for those of us for whom relaxing their CSP by allowing potentially unsafe styles is unacceptable?

Thanks in advance.

Adding my voice too... Not a fan of allowing "unsafe-inline" as it defeats the whole purpose of the CSP headers.

Same, adding "unsafe-inline" defeats the goal. Could you please change it to use a nonce instead?

1: Adding to this. I see that the CSP guide ( https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/ ) says 

style-src 'unsafe-inline';

Is there some solution so we do not need this, either?  Can we use a nonce, instead?

2: Even with a nonce, this doesn't protect us from corruption on your end (not saying you are prone to that, it is just a general concern).  Have y'all thought about some solution to all this where we can avoid relying on dynamically downloaded code?  For example, provide a versioned npm package that we can package into our app and we then just download a well-defined JSON file (that we could validate) that we can then feed into that code?

Any updates on this? We would like to use the Zendesk chat feature but `style-src 'unsafe-inline';` is not an option for us. We require a strict CSP that will now allow that policy.

We are having issues with the Content Security Policy (CSP) directive "style-src 'self' 'nonce-xxxxxxxxxxxxxxxxx'". This directive is preventing us from loading stylesheets from Zendesk chat, which is causing problems with the chat functionality.

We have been using the unsafe-inline option as a workaround, but this is not a good long-term solution. We would appreciate it if you could investigate this issue and provide a fix.

Hi Destiny,

Thank you for your response.

We are using the recommended setup (add the nonce attribute to the Web Widget snippet) from your documentation. However, if we do not add 'unsafe-inline' to style-src, the CSS styles do not load on the page and the chat does not display properly. You can easily reproduce this on your own Zendesk instance.

Chat view: 

Console:

All previous participants in this thread have described the problem in detail, but as I can see, you have not responded in any way in 3 years.

Thank you, and I hope one of your engineers will check and fix the problem.

Hi Destiny,

Thank you for your response. I admit, this is not what I expected. However, in the interests of fairness, I would like you to change your documentation on this page: https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/, as it is inaccurate and leads to wasted time for companies that want to comply with CSP.

Thank you for your understanding.