Content Security Policy blocking the chat widget.
답변함Hi There,
We are implementing the Content Security Policy(CSP) in our Envoy Application.
We have allowed all the resources from Zendesk as valid resource in CSP rule. But unfortunatly we are getting below error on clock on Chat widget.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src *.zdassets.com *.zendesk.com"
We are getting this error from the JS file "https://static.zdassets.com/web_widget/latest/classic/web-widget-8663-7c2ace3.js" at line number : 4930.
try {
return Function('"use strict"; return (' + e + ").constructor;")()
}
Accourdting to the CSP best practices, we cannot use unsafe-eval, instead we need to use alternative for eval() or funtion() in JS.
Can you please provide us the solution for this as this is become a major security issue.
We have followed the
https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/#content-security-policy-csp-support
-
Hi Prateek,
Thanks for sharing this within the Community! We adhere to Google's Strict CSP guidelines which can be found here. Based on their strict guidelines, 'unsafe-eval' is an allowed CSP keyword. Their recommendation is that if eval() is not used than you can omit it for increased security. Having it would not violate the Strict CSP.
However, taking a further look into our newest Web Widget Classic version you should be able to omit it as it doesn't appear we're using eval. Would you be able to share your current Web Widget snippet and CSP setup?
Best,
Erica
-
Hi Erica,
Thanks for you help!
I agree that based on google's strict guidelines, 'unsafe-eval' is an allowed CSP keyword. But they also say that "This reduces the protection against certain types of DOM-based XSS bugs".
So, we want to avoid all kind of risk and have a cleaner implementation.
Since web snippet has key, I am not comfurtable sharing it here. But can you give me the steps to upgrade please?
Also, here is the CSP rule related to Zendesk
default-src 'self'
https://static.zdassets.com
https://ekr.zdassets.com
https://ekr.zendesk.com
https://<domain>.zendesk.com
https://*.zopim.com
https://zendesk-eu.my.sentry.io
wss://<domain>.zendesk.com
wss://*.zopim.com;
style-src 'unsafe-inline';
img-src 'self'
https://v2assets.zopim.io
https://static.zdassets.com
data:;
script-src 'self'
https://static.zdassets.com
https://ekr.zdassets.com
https://ekr.zendesk.com
https://<domain>.zendesk.com
https://*.zopim.com
https://zendesk-eu.my.sentry.io
wss://<domain>.zendesk.com
wss://*.zopim.com; -
Hi Erica,
Wanted to check if you get a chance to review our CSP rule. Also, can you please share us the steps to upgrade to newest Web Widget Classic version.
-
Hi Prateek,
I don't believe I received your code snippet. Would you be able to share it here? If you would prefer for privacy, I can create a ticket for you to share that info.
You should already have the latest version but just to verify, try runningzE.versionin the console for your website where you have the widget embedded.
Best,
Erica
-
Hi Erica,
Here is the result of zE.version : '5cfa662'.Also, if you need more info about code snippet, can you please create a ticket? Since, it has key, we prefer ticket.
-
This is great information to share within the Community! Your contribution is greatly appreciated! Based on their strict guidelines, the keyword unsafe-eval is allowed to be used in the CSP.The recommendation is to omit eval() for increased security if it is not used. There would be no violation of the Strict CSP if it were present.
댓글을 남기려면 로그인하세요.
6 댓글