Web Widget violates CSP | Community
Skip to main content

Web Widget violates CSP

  • August 3, 2021
  • 13 replies
  • 0 views
C

My app is using the web widget via the loading of the ze-snippet script. I am setting a nonce on the script element and I have followed the web widget CSP documentation. However, I am getting a CSP violation due to an iframe attempting to run an inline script.

I believe I've narrowed it down to the "asset_composer.js" script that's loaded into an iframe by the snippet. I can see that there's an inline script that does not have a nonce. The only way to remove this violation is to add "unsafe-inline" to my script policy, which is not acceptable. Am I missing something here? I've seen numerous conversations about CSP but none are related to this issue, and it appears there was an effort to improve this in the past couple years but it's still broken.

Thanks,

Chris

    13 replies

    Eric27
    • Eric27
    • August 9, 2021

    Hey Chris!

    Are using the recommended setup or a custom configuration? Would you be able to provide us the snippet so that we can take a look?

    Have a wonderful day!

    Eric Nelson | Manager - Developer Advocacy

    F
    • Fable
    • September 9, 2021

    I am experiencing the exact same issue using the recommended setup.

    Below is a copy of the snippet as it is implemented on my site, where "random-csp-nonce" is being generated by my server:


    <!-- Start of greenbuildingregistry Zendesk Widget script -->
    <script id="ze-snippet" src="https://static.zdassets.com/ekr/snippet.js?key=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" nonce="random-csp-nonce"> </script>
    <!-- End of greenbuildingregistry Zendesk Widget script -->

    The error appears as: "Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxxxxxxxxxxxxxxxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution." With a reference to web-widget-218-a0e6bddf78f556c0ba98.js:2

    J
    • James164
    • November 24, 2021

    Just adding my voice as I'm currently experiencing what seems to be the same issue as Fable.

    Your documentation suggests adding "unsafe-inline" to our content security policy, but is there another solution, suitable for those of us for whom relaxing their CSP by allowing potentially unsafe styles is unacceptable?

    Thanks in advance.

    Karl21
    • Karl21
    • March 21, 2022

    Adding my voice too... Not a fan of allowing "unsafe-inline" as it defeats the whole purpose of the CSP headers.

    D
    • Dario15
    • April 19, 2022

    Same, adding "unsafe-inline" defeats the goal. Could you please change it to use a nonce instead?

    D
    • dave64
    • August 22, 2022

    1: Adding to this. I see that the CSP guide ( https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/ ) says 

    style-src 'unsafe-inline';

    Is there some solution so we do not need this, either?  Can we use a nonce, instead?

     

    2: Even with a nonce, this doesn't protect us from corruption on your end (not saying you are prone to that, it is just a general concern).  Have y'all thought about some solution to all this where we can avoid relying on dynamically downloaded code?  For example, provide a versioned npm package that we can package into our app and we then just download a well-defined JSON file (that we could validate) that we can then feed into that code?

     

    Mike113
    • Mike113
    • September 27, 2023

    Any updates on this? We would like to use the Zendesk chat feature but `style-src 'unsafe-inline';` is not an option for us. We require a strict CSP that will now allow that policy.

    Yura13
    • Yura13
    • February 29, 2024

    We are having issues with the Content Security Policy (CSP) directive "style-src 'self' 'nonce-xxxxxxxxxxxxxxxxx'". This directive is preventing us from loading stylesheets from Zendesk chat, which is causing problems with the chat functionality.

    We have been using the unsafe-inline option as a workaround, but this is not a good long-term solution. We would appreciate it if you could investigate this issue and provide a fix.

    Destiny
    • Destiny
    • March 1, 2024
    Hi Yura,
     
    Thank you for your message. Could you provide additional details regarding the impact of the CSP directive on your Zendesk Chat stylesheets? I'd like to ensure that you're adhering to the setup guidelines outlined in our developer documentation, which you can find at https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/.
     
    It would be very helpful if you could share more about how this is influencing the functionality of your widget. Thanks
    Yura13
    • Yura13
    • March 1, 2024

    Hi Destiny,

    Thank you for your response.

    We are using the recommended setup (add the nonce attribute to the Web Widget snippet) from your documentation. However, if we do not add 'unsafe-inline' to style-src, the CSS styles do not load on the page and the chat does not display properly. You can easily reproduce this on your own Zendesk instance.

    Chat view: 

    Console:

    All previous participants in this thread have described the problem in detail, but as I can see, you have not responded in any way in 3 years.

    Thank you, and I hope one of your engineers will check and fix the problem.

    Destiny
    • Destiny
    • March 5, 2024
    Hello Yura, 
     
    Thank you for the screenshot and the extra details you've shared.
     
    Regrettably, I must inform you that our current setup does not support this functionality, as the Web Widget (Classic) necessitates the inclusion of 'unsafe-inline'. Although there have been previous attempts to investigate and resolve this matter, we have yet to find a definitive solution. Given our existing roadmap and priorities, we do not have the capacity to address this at the moment. Hoping for your understanding on this matter. 
    Yura13
    • Yura13
    • March 5, 2024

    Hi Destiny,

    Thank you for your response. I admit, this is not what I expected. However, in the interests of fairness, I would like you to change your documentation on this page: https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/, as it is inaccurate and leads to wasted time for companies that want to comply with CSP.

    Thank you for your understanding.

    Destiny
    • Destiny
    • March 7, 2024
    Hello Yura,
     
    Thank you for providing your candid feedback. Given that this pertains to developer documentation, I will pass on your comments to our team. I'm hopeful that they will be able to implement updates promptly.
    Terms & ConditionsCookie settingsAccessibility statement