Group 65Go to Intercom
All Collections
Configure Intercom
Staying secure
Using Intercom with Content Security Policy

Using Intercom with Content Security Policy

Thibault Candebat avatar
Written by Thibault Candebat
Updated over a week ago

Content Security Policy (CSP) is a security mechanism that helps protect against content injection attacks, such as Cross Site Scripting (XSS).

Intercom fully supports Google strict CSPv3:

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'self';
  report-uri https://your-report-collector.example.com/

If you are already serving this policy from your website, you don't need to apply any changes.

If you're supporting CSP up to version 1 or 2 only, you'll need to add the following to your whitelist for Intercom to function correctly:

connect-src:
  https://api.intercom.io
  https://api-iam.intercom.io
  https://api-ping.intercom.io
  https://nexus-websocket-a.intercom.io
  https://nexus-websocket-b.intercom.io
  https://nexus-long-poller-a.intercom.io
  https://nexus-long-poller-b.intercom.io
  wss://nexus-websocket-a.intercom.io
  wss://nexus-websocket-b.intercom.io
  https://uploads.intercomcdn.com
  https://uploads.intercomusercontent.com
  
child-src:
  https://share.intercom.io
  https://intercom-sheets.com
  https://www.intercom-reporting.com 
  https://www.youtube.com
  https://player.vimeo.com
  https://fast.wistia.net

font-src:
  https://js.intercomcdn.com

form-action:
  https://intercom.help
  https://api-iam.intercom.io

media-src:
  https://js.intercomcdn.com

img-src:
  data:
  https://js.intercomcdn.com
  https://static.intercomassets.com
  https://downloads.intercomcdn.com
  https://uploads.intercomusercontent.com
  https://gifs.intercomcdn.com 
  https://messenger-apps.intercom.io
  https://*.intercom-attachments.com

script-src:
  https://app.intercom.io
  https://widget.intercom.io
  https://js.intercomcdn.com

style-src:
  'unsafe-inline'

Please also note that you will need to include some nonce-source(s) for some scripts being loaded by the Messenger. You can refer to this tutorial for any help regarding the handling of nonces.

Also, if your service supports CSPv3 only, you'll need to use two separate entries for frame-src and worker-src in place of child-src, as this keyword is being deprecated.

If we make any changes to this list we'll announce it in the Intercom change log.

Did this answer your question?