Content Security Policy blocking the chat widget. | The place for Zendesk users to come together and share
Skip to main content
Question

Content Security Policy blocking the chat widget.

  • July 15, 2022
  • 15 replies
  • 3 views
Prateek12

Hi There,

We are implementing the Content Security Policy(CSP) in our Envoy Application.

We have allowed all the resources from Zendesk as valid resource in CSP rule. But unfortunatly we are getting below error on clock on Chat widget.
Error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src *.zdassets.com *.zendesk.com"

We are getting this error from the JS file "https://static.zdassets.com/web_widget/latest/classic/web-widget-8663-7c2ace3.js" at line number : 4930.
try {
    return Function('"use strict"; return (' + e + ").constructor;")()

Accourdting to the CSP best practices, we cannot use unsafe-eval, instead we need to use alternative for eval() or funtion() in JS.

Can you please provide us the solution for this as this is become a major security issue.


We have followed the
https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/#content-security-policy-csp-support

15 replies

E
  • Erica26Employee
  • Employee
  • July 18, 2022
Hi Prateek,
 
Thanks for sharing this within the Community! We adhere to Google's Strict CSP guidelines which can be found here. Based on their strict guidelines, 'unsafe-eval' is an allowed CSP keyword. Their recommendation is that if eval() is not used than you can omit it for increased security. Having it would not violate the Strict CSP. 
 
However, taking a further look into our newest Web Widget Classic version you should be able to omit it as it doesn't appear we're using eval. Would you be able to share your current Web Widget snippet and CSP setup?
 
Best,
 
Erica
Prateek12
  • Prateek12
  • Author
  • July 19, 2022

Hi Erica,

Thanks for you help!

I agree that based on google's strict guidelines, 'unsafe-eval' is an allowed CSP keyword. But they also say that "This reduces the protection against certain types of DOM-based XSS bugs".

So, we want to avoid all kind of risk and have a cleaner implementation.

Since web snippet has key, I am not comfurtable sharing it here. But can you give me the steps to upgrade please? 

Also, here is the CSP rule related to Zendesk

default-src 'self'
            https://static.zdassets.com
            https://ekr.zdassets.com
            https://ekr.zendesk.com
            https://<domain>.zendesk.com
            https://*.zopim.com
            https://zendesk-eu.my.sentry.io
            wss://<domain>.zendesk.com
            wss://*.zopim.com;
style-src 'unsafe-inline';
img-src 'self'
        https://v2assets.zopim.io
        https://static.zdassets.com
        data:;
script-src 'self'
            https://static.zdassets.com
            https://ekr.zdassets.com
            https://ekr.zendesk.com
            https://<domain>.zendesk.com
            https://*.zopim.com
            https://zendesk-eu.my.sentry.io
            wss://<domain>.zendesk.com
            wss://*.zopim.com;

Prateek12
  • Prateek12
  • Author
  • July 25, 2022

Hi Erica,

Wanted to check if you get a chance to review our CSP rule. Also, can you please share us the steps to upgrade to newest Web Widget Classic version.

E
  • Erica26Employee
  • Employee
  • July 26, 2022
Hi Prateek, 
 
I don't believe I received your code snippet. Would you be able to share it here? If you would prefer for privacy, I can create a ticket for you to share that info. 
 
You should already have the latest version but just to verify, try running zE.version in the console for your website where you have the widget embedded.
 
Best,
 
Erica
 
Prateek12
  • Prateek12
  • Author
  • July 27, 2022

Hi Erica,

Here is the result of zE.version : '5cfa662'.

Also, if you need more info about  code snippet, can you please create a ticket? Since, it has key, we prefer ticket.

Taras13
  • Taras13
  • April 5, 2024

Hi.

Our chat widget isn't working properly because now it demands unsafe-eval to be allowed.

However, it isn't one of the safe practices and is blocked by CSP policies. 

Moreover, unsafe-eval was not used before today or yesterday and chat widget was working fine. But now it requires unsafe-eval to run. You can see on the screenshot that Google warns against using it and I don't understand you argument that “it is an allowed CSP keyword”.  

This should definitely be fixed immediately

Tipene
  • TipeneEmployee
  • Employee
  • April 9, 2024
Hi Taras,
 
I've tested this across multiple web widget instances and I've been unable to reproduce the issue you're seeing. Is this still present on your end? If so, can you provide a link where I can see this? Or, if there are any specific steps to reproduce, please outline those here.
 
Thanks,
 
Tipene
Taras13
  • Taras13
  • April 10, 2024

Hi Tipene.

You should check it in our web app
https://app.help-desk-migration.com/authorization/sign-in

C

got the same issue following https://developer.zendesk.com/documentation/classic-web-widget-sdks/web-widget/integrating-with-google/csp/

Not working without unsafe-eval
can you fix so we don't need to set ‘unsafe-eval’ ?

C
Hi Christof,
 
I've created a ticket to work with you in greater detail on this.  Please refer to the ticket for next steps.
Yura13
  • Yura13
  • April 23, 2024

Hi @tipene,

Taras Velychko provided you with all the examples of how to easily reproduce this issue, and it is reproducible not only for us. Why is there no response from you and your team on this matter?

Taras13
  • Taras13
  • April 23, 2024

So will we get a universal solution or you're going case by case with whoever complains?

Ho do we make your chat log in users without allowing unsafe-eval? Web widget receives all the necessary user information for logging him in, but it doesn't happen.
 

    C
    Hi Folks,
     
    Apologies for the confusion.  Our inability to reproduce was due to an issue with the testing steps/conditions.  Our team is currently reviewing this issue.
      R
      • Romain12
      • April 30, 2024

      Any update on this issue ? We are also affected by it and it is a big blocker for us.

      C
      Hello,
       
      Thanks for your patience.  Our web widget devs have released a fix to resolve this error.  Let us know if you still encounter an issue.
      Terms & ConditionsCookie settingsAccessibility statement