Content Security Policy (CSP) is a security mechanism that helps protect against content injection attacks, such as Cross Site Scripting (XSS).
Intercom fully supports Google strict CSPv3:
Content-Security-Policy:
object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'self';
report-uri https://your-report-collector.example.com/
If you are already serving this policy from your website, you don't need to apply any changes.
If you're supporting CSP up to version 1 or 2 only, you'll need to add the following to your list of allowed domains for Intercom to function correctly:
connect-src:
https://api.intercom.io
https://api-iam.intercom.io
https://api-ping.intercom.io
https://nexus-websocket-a.intercom.io
https://nexus-websocket-b.intercom.io
wss://nexus-websocket-a.intercom.io
wss://nexus-websocket-b.intercom.io
https://uploads.intercomcdn.com
https://uploads.intercomusercontent.com
child-src:
https://intercom-sheets.com
https://www.intercom-reporting.com
https://www.youtube.com
https://player.vimeo.com
https://fast.wistia.net
font-src:
https://js.intercomcdn.com
form-action:
https://intercom.help
https://api-iam.intercom.io
media-src:
https://js.intercomcdn.com
img-src:
blob:
data:
https://js.intercomcdn.com
https://static.intercomassets.com
https://downloads.intercomcdn.com
https://uploads.intercomusercontent.com
https://gifs.intercomcdn.com
https://video-messages.intercomcdn.com
https://messenger-apps.intercom.io
https://*.intercom-attachments-5.com
https://*.intercom-attachments-6.com
https://*.intercom-attachments-9.com
script-src:
https://app.intercom.io
https://widget.intercom.io
https://js.intercomcdn.com
style-src:
'unsafe-inline'
Please also note that you will need to include some nonce-source(s) for some scripts being loaded by the Messenger. You can refer to this tutorial for any help regarding the handling of nonces.
Also, if your service supports CSPv3 only, you'll need to use two separate entries for frame-src and worker-src in place of child-src, as this keyword is being deprecated.
Firewalls
Many of the above domains will also need to be allowed in your firewall settings to allow correct functioning of Intercom.