Prateek Hegde

Hi Erica,

Here is the result of zE.version : '5cfa662'.

Also, if you need more info about  code snippet, can you please create a ticket? Since, it has key, we prefer ticket.

Hi Erica,

Wanted to check if you get a chance to review our CSP rule. Also, can you please share us the steps to upgrade to newest Web Widget Classic version.

Hi Erica,

Thanks for you help!

I agree that based on google's strict guidelines, 'unsafe-eval' is an allowed CSP keyword. But they also say that "This reduces the protection against certain types of DOM-based XSS bugs".

So, we want to avoid all kind of risk and have a cleaner implementation.

Since web snippet has key, I am not comfurtable sharing it here. But can you give me the steps to upgrade please? 

Also, here is the CSP rule related to Zendesk

default-src 'self'
            https://static.zdassets.com
            https://ekr.zdassets.com
            https://ekr.zendesk.com
            https://.zendesk.com
            https://*.zopim.com
            https://zendesk-eu.my.sentry.io
            wss://.zendesk.com
            wss://*.zopim.com;
style-src 'unsafe-inline';
img-src 'self'
        https://v2assets.zopim.io
        https://static.zdassets.com
        data:;
script-src 'self'
            https://static.zdassets.com
            https://ekr.zdassets.com
            https://ekr.zendesk.com
            https://.zendesk.com
            https://*.zopim.com
            https://zendesk-eu.my.sentry.io
            wss://.zendesk.com
            wss://*.zopim.com;

Hi There,

We are implementing the Content Security Policy(CSP) in our Envoy Application.

We have allowed all the resources from Zendesk as valid resource in CSP rule. But unfortunatly we are getting below error on clock on Chat widget.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src *.zdassets.com *.zendesk.com"

We are getting this error from the JS file "https://static.zdassets.com/web_widget/latest/classic/web-widget-8663-7c2ace3.js" at line number : 4930.
try {
    return Function('"use strict"; return (' + e + ").constructor;")()
} 

Accourdting to the CSP best practices, we cannot use unsafe-eval, instead we need to use alternative for eval() or funtion() in JS.

Can you please provide us the solution for this as this is become a major security issue.

We have followed the
https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/#content-security-policy-csp-support