Open amingilani opened 7 years ago
hey! can you provide more infos about this ? What part of the documentation do you want to update ?
Sure! i may have commented on this prematurely, but I've achieved intercom's secure-mode running on my app with Twitter Secure Headers by doing the following, which can totally be awesome if added to the docs.
I'm running secure_headers (3.4.0)
and intercom-rails (0.3.2)
The existing method outlines monkey patching, which is not a recommended way to do anything in Rails, especially since it monkey patches this gem itself.
In my application layout:
<% if user_signed_in? %>
<%= intercom_script_tag({
:app_id => 'app-id',
:user_id => current_user.id,
:email => current_user.email,
:name => current_user.name,
:created_at => current_user.created_at
}, {
:secret => Rails.application.secrets.intercom_secure_mode_secret_key,
:widget => {:activator => '#Intercom'},
:nonce => content_security_policy_nonce(:script)
}) %>
<% else %>
<%= intercom_script_tag({
:app_id => 'qvnmie0g',
}, {
:secret => 'your-apps-api-secret',
:widget => {:activator => '#Intercom'},
:nonce => content_security_policy_nonce(:script)
}) %>
<% end %>
Also, the documentation misses this out, but I had to whitelist wss://*.intercom.io *.intercom.io *.intercomcdn.com
in my sources to get the intercom script to work, here's my CSP config.
SecureHeaders::Configuration.default do |config|
config.csp = {
report_only: !Rails.env.production?, # default: false
preserve_schemes: true, # default: false.
default_src: %w('none'), # nothing allowed
font_src: %w('self' fonts.gstatic.com *.intercom.io *.intercomcdn.com),
script_src: %w('self' www.google-analytics.com *.intercom.io *.intercomcdn.com),
connect_src: %w('self' wss://*.intercom.io *.intercom.io *.intercomcdn.com),
img_src: %w('self' www.google-analytics.com),
style_src: %w('unsafe-inline' 'self' fonts.googleapis.com,),
report_uri: ['https://payload.report-uri.io/r/default/csp/enforce']
}
end
+1 to @amingilani. I followed the above steps and they worked great.
Please don't monkey patch, a better way to add a nonce for twitter/secureheaders is by using the
content_security_policy_nonce(:script)
helper. I advise a documentation update.