Recent searches

No recent searches

Content Security Policy blocking the chat widget.

Answered

Posted Jul 15, 2022

Hi There,

We are implementing the Content Security Policy(CSP) in our Envoy Application.

We have allowed all the resources from Zendesk as valid resource in CSP rule. But unfortunatly we are getting below error on clock on Chat widget.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src *.zdassets.com *.zendesk.com"

We are getting this error from the JS file "https://static.zdassets.com/web_widget/latest/classic/web-widget-8663-7c2ace3.js" at line number : 4930.
try {
return Function('"use strict"; return (' + e + ").constructor;")()
}

Accourdting to the CSP best practices, we cannot use unsafe-eval, instead we need to use alternative for eval() or funtion() in JS.

Can you please provide us the solution for this as this is become a major security issue.

We have followed the
https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/#content-security-policy-csp-support

15 comments

Date

Erica Girges

Zendesk Developer Advocacy

Jul 18, 2022

Hi Prateek,

Thanks for sharing this within the Community! We adhere to Google's Strict CSP guidelines which can be found here. Based on their strict guidelines, 'unsafe-eval' is an allowed CSP keyword. Their recommendation is that if eval() is not used than you can omit it for increased security. Having it would not violate the Strict CSP.

However, taking a further look into our newest Web Widget Classic version you should be able to omit it as it doesn't appear we're using eval. Would you be able to share your current Web Widget snippet and CSP setup?

Best,

Erica

Prateek Hegde

Jul 19, 2022

Hi Erica,

Thanks for you help!

I agree that based on google's strict guidelines, 'unsafe-eval' is an allowed CSP keyword. But they also say that "This reduces the protection against certain types of DOM-based XSS bugs".

So, we want to avoid all kind of risk and have a cleaner implementation.

Since web snippet has key, I am not comfurtable sharing it here. But can you give me the steps to upgrade please?

Also, here is the CSP rule related to Zendesk

default-src 'self'
https://static.zdassets.com
https://ekr.zdassets.com
https://ekr.zendesk.com
https://<domain>.zendesk.com
https://*.zopim.com
https://zendesk-eu.my.sentry.io
wss://<domain>.zendesk.com
wss://*.zopim.com;
style-src 'unsafe-inline';
img-src 'self'
https://v2assets.zopim.io
https://static.zdassets.com
data:;
script-src 'self'
https://static.zdassets.com
https://ekr.zdassets.com
https://ekr.zendesk.com
https://<domain>.zendesk.com
https://*.zopim.com
https://zendesk-eu.my.sentry.io
wss://<domain>.zendesk.com
wss://*.zopim.com;

Prateek Hegde

Jul 25, 2022

Hi Erica,

Wanted to check if you get a chance to review our CSP rule. Also, can you please share us the steps to upgrade to newest Web Widget Classic version.

Erica Girges

Zendesk Developer Advocacy

Jul 26, 2022

Hi Prateek,

I don't believe I received your code snippet. Would you be able to share it here? If you would prefer for privacy, I can create a ticket for you to share that info.

You should already have the latest version but just to verify, try running zE.version in the console for your website where you have the widget embedded.

Best,

Erica

Prateek Hegde

Jul 27, 2022

Hi Erica,

Here is the result of zE.version : '5cfa662'.

Also, if you need more info about code snippet, can you please create a ticket? Since, it has key, we prefer ticket.

Taras Velychko

Apr 05, 2024

Hi.

Our chat widget isn't working properly because now it demands unsafe-eval to be allowed.

However, it isn't one of the safe practices and is blocked by CSP policies.

Moreover, unsafe-eval was not used before today or yesterday and chat widget was working fine. But now it requires unsafe-eval to run. You can see on the screenshot that Google warns against using it and I don't understand you argument that “it is an allowed CSP keyword”.

This should definitely be fixed immediately

Tipene Hughes

Zendesk Developer Advocacy

Apr 09, 2024

Hi Taras,

I've tested this across multiple web widget instances and I've been unable to reproduce the issue you're seeing. Is this still present on your end? If so, can you provide a link where I can see this? Or, if there are any specific steps to reproduce, please outline those here.

Thanks,

Tipene

Taras Velychko

Apr 10, 2024

Hi Tipene.

You should check it in our web app
https://app.help-desk-migration.com/authorization/sign-in

Christof Moser

Apr 10, 2024

got the same issue following https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/

Not working without unsafe-eval
can you fix so we don't need to set ‘unsafe-eval’ ?

Christopher Kennedy

Zendesk Developer Advocacy

Apr 22, 2024

Hi Christof,

I've created a ticket to work with you in greater detail on this. Please refer to the ticket for next steps.

Yura Kril

Apr 23, 2024

Hi Tipene Hughes,

Taras Velychko provided you with all the examples of how to easily reproduce this issue, and it is reproducible not only for us. Why is there no response from you and your team on this matter?

Taras Velychko

Apr 23, 2024

So will we get a universal solution or you're going case by case with whoever complains?

Ho do we make your chat log in users without allowing unsafe-eval? Web widget receives all the necessary user information for logging him in, but it doesn't happen.

Christopher Kennedy

Zendesk Developer Advocacy

Apr 23, 2024

Hi Folks,

Apologies for the confusion. Our inability to reproduce was due to an issue with the testing steps/conditions. Our team is currently reviewing this issue.