Ability to add a nonce to the script tag #31
Comments
|
@valeriansaliou any example of a Crisp client succeeding in configuring Content Security Policy (CSP)? I tried to modify locally your library to accept a nonce, but the Any response would be appreciated, thank you, |
|
Hello @sneko, this is unfortunately not yet supported in the Crisp chatbox itself, since, as far as I understand how nonces work, we'd need to pass the nonce to all created inline elements (scripts and styles) from the chatbox loader. Given how we currently load our chatbox resources, this will require direct work on the global chatbox loader code, in addition to this SDK library. I'm keeping this open so that we can add this to our roadmap. |
|
Alternatively, is it possible to remove the need for inline styles, i.e. so that we don't need to put "unsafe-inline" in the "style-src" CSP directive? |
|
Inline styles are needed for the chatbox per-website themes to work correctly, there’s no way we can do it otherwise unfortunately. |
Hi @valeriansaliou ,
Due to third-party tools usage I have to set a nonce to my server page to load their script and bypass using CORP/COEP headers since I cannot customize them on those tools responses.
Would you consider adding the ability to customize the script attributes you create with
load()?crisp-sdk-web/src/index.ts
Lines 192 to 197 in cc3c7fb
Thank you,
The text was updated successfully, but these errors were encountered: