Content Security Policy blocking the chat widget.
Posted Jul 15, 2022
Hi There,
We are implementing the Content Security Policy(CSP) in our Envoy Application.
We have allowed all the resources from Zendesk as valid resource in CSP rule. But unfortunatly we are getting below error on clock on Chat widget.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src *.zdassets.com *.zendesk.com"
We are getting this error from the JS file "https://static.zdassets.com/web_widget/latest/classic/web-widget-8663-7c2ace3.js" at line number : 4930.
try {
return Function('"use strict"; return (' + e + ").constructor;")()
}
Accourdting to the CSP best practices, we cannot use unsafe-eval, instead we need to use alternative for eval() or funtion() in JS.
Can you please provide us the solution for this as this is become a major security issue.
We have followed the
https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/#content-security-policy-csp-support
0
15 comments
Christopher Kennedy
Thanks for your patience. Our web widget devs have released a fix to resolve this error. Let us know if you still encounter an issue.
0
Romain Brucker
Any update on this issue ? We are also affected by it and it is a big blocker for us.
0
Christopher Kennedy
Apologies for the confusion. Our inability to reproduce was due to an issue with the testing steps/conditions. Our team is currently reviewing this issue.
0
Taras Velychko
So will we get a universal solution or you're going case by case with whoever complains?
Ho do we make your chat log in users without allowing unsafe-eval? Web widget receives all the necessary user information for logging him in, but it doesn't happen.
1
Yura Kril
Hi 1264158211509,
Taras Velychko provided you with all the examples of how to easily reproduce this issue, and it is reproducible not only for us. Why is there no response from you and your team on this matter?
0
Christopher Kennedy
I've created a ticket to work with you in greater detail on this. Please refer to the ticket for next steps.
0
Christof Moser
got the same issue following https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/
Not working without unsafe-eval
can you fix so we don't need to set ‘unsafe-eval’ ?
0
Taras Velychko
Hi Tipene.
You should check it in our web app
https://app.help-desk-migration.com/authorization/sign-in
0
Tipene Hughes
I've tested this across multiple web widget instances and I've been unable to reproduce the issue you're seeing. Is this still present on your end? If so, can you provide a link where I can see this? Or, if there are any specific steps to reproduce, please outline those here.
Thanks,
Tipene
0
Taras Velychko
Hi.
Our chat widget isn't working properly because now it demands unsafe-eval to be allowed.
However, it isn't one of the safe practices and is blocked by CSP policies.
Moreover, unsafe-eval was not used before today or yesterday and chat widget was working fine. But now it requires unsafe-eval to run. You can see on the screenshot that Google warns against using it and I don't understand you argument that “it is an allowed CSP keyword”.
This should definitely be fixed immediately
0
Sign in to leave a comment.