search

amazon-connect / amazon-connect-chatjs

Amazon Connect ChatJS - a browser-based contact center integration API for Chat on the Agent and Customer side.
https://docs.aws.amazon.com/connect/latest/adminguide/what-is-amazon-connect.html
Apache License 2.0
91 stars 53 forks source link

Avoid having to use "unsafe-inline" settings for CSS (style directive) #202

Closed DevSecBoi closed 7 months ago

DevSecBoi commented 8 months ago

To accommodate Content Security Policy CSP we have used "strict-dynamic" to avoid having to use "unsafe-inline" settings and prevent XSS as part of the script directive but there is no corresponding/similar parameter for CSS (style directive)?

mliao95 commented 7 months ago

I do not believe this issue is relevant for this ChatJS repository. If this is referencing our OOTB widget, we have a workaround here:

We provide a workaround using nonce. if you are able to add amazon_connect(‘nonce’, “custom-nonce-string”), we will populate our scripts/CSS tags with nonce=“custom-nonce-string”. From there, you can update your CSP to allow your custom nonce value.

e.g.

<script type="text/javascript">
    (function(w, d, x, id){
      s=d.createElement('script');
      s.src='https://d38ij7tdo5kvz7.cloudfront.net/amazon-connect-chat-interface-client.js';
      s.async=1;
      s.id=id;
      d.getElementsByTagName('head')[0].appendChild(s);
      w[x] =  w[x] || function() { (w[x].ac = w[x].ac || []).push(arguments) };
    })(window, document, 'amazon_connect', '....');
    amazon_connect('styles', {iconType: 'CHAT', openChat: { color: '#ffffff', backgroundColor: '#123456'}, closeChat: { color: '#ffffff', backgroundColor: '#123456'} });
    amazon_connect('snippetId', '....');
    amazon_connect('supportedMessagingContentTypes', [ 'text/plain', 'text/markdown' ]);
    amazon_connect('nonce', 'custom-nonce-string');
  </script>-