content security policy with strict-dynamic

Question

I’m trying to use ‘strict-dynamic’ for my ‘script-src’ content security policy.

I have a nonce set up in my page where I include the Front chat widget script:

  <script nonce="random nonce here" type="text/javascript" src='https://chat-assets.frontapp.com/v1/chat.bundle.js'></script>

but it appears that that chat.bundle.js script dynamically loads app.bundle.js, which leads to a CSP violation in Chrome:

Refused to load the script 'https://chat-assets.frontapp.com/v1/app.bundle.js?v=840fb872' because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' chat-assets.frontapp.com 'nonce-9a6157311c94f2a96914fe5ac561d6fc'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Is there a way to use strict-dynamic with the Front chat widget?

Page 1 / 1

Hi Smerel,

I think we have a gap in our chat SDK documentation. You can pass a nonce as part of the 'init' request, and that will appear as an IFrame property:

Please find my demo here:

https://evans-front-sandbox.netlify.app/pages/chats/basic-chat-with-nonce/

thanks, that worked!

Reply

evano · Accepted Answer

Hi Smerel,I think we have a gap in our chat SDK documentation. You can pass a nonce as part of the 'init' request, and that will appear as an IFrame property:Please find my demo here:https://evans-front-sandbox.netlify.app/pages/chats/basic-chat-with-nonce/

smerel · Answer

thanks, that worked!

Reply

Sign up

Use your Front credentials

Login to the community

Use your Front credentials

Scanning file for viruses.

This file cannot be downloaded