search

intercom / intercom-rails

The easiest way to install Intercom in a Rails app.
https://developers.intercom.io/reference
MIT License
280 stars 106 forks source link

Please don't monkeypatch #224

Open amingilani opened 7 years ago

amingilani commented 7 years ago

Please don't monkey patch, a better way to add a nonce for twitter/secureheaders is by using the content_security_policy_nonce(:script) helper. I advise a documentation update.

kant01ne commented 7 years ago

hey! can you provide more infos about this ? What part of the documentation do you want to update ?

amingilani commented 7 years ago

Sure! i may have commented on this prematurely, but I've achieved intercom's secure-mode running on my app with Twitter Secure Headers by doing the following, which can totally be awesome if added to the docs.

I'm running secure_headers (3.4.0) and intercom-rails (0.3.2)

Improvement

The existing method outlines monkey patching, which is not a recommended way to do anything in Rails, especially since it monkey patches this gem itself.

In my application layout:

<% if user_signed_in? %>
<%= intercom_script_tag({
  :app_id => 'app-id',
  :user_id => current_user.id,
  :email => current_user.email,
  :name => current_user.name,
  :created_at => current_user.created_at
}, {
  :secret => Rails.application.secrets.intercom_secure_mode_secret_key,
  :widget => {:activator => '#Intercom'},
  :nonce => content_security_policy_nonce(:script)
}) %>
<% else %>
<%= intercom_script_tag({
  :app_id => 'qvnmie0g',
}, {
  :secret => 'your-apps-api-secret',
  :widget => {:activator => '#Intercom'},
  :nonce => content_security_policy_nonce(:script)
}) %>
<% end %>

Missing

Also, the documentation misses this out, but I had to whitelist wss://*.intercom.io *.intercom.io *.intercomcdn.com in my sources to get the intercom script to work, here's my CSP config.

SecureHeaders::Configuration.default do |config|
  config.csp = {
    report_only: !Rails.env.production?, # default: false
    preserve_schemes: true, # default: false.

    default_src: %w('none'), # nothing allowed
    font_src: %w('self' fonts.gstatic.com *.intercom.io *.intercomcdn.com),
    script_src: %w('self' www.google-analytics.com *.intercom.io *.intercomcdn.com),
    connect_src: %w('self' wss://*.intercom.io *.intercom.io *.intercomcdn.com),
    img_src: %w('self' www.google-analytics.com),
    style_src: %w('unsafe-inline' 'self' fonts.googleapis.com,),
    report_uri: ['https://payload.report-uri.io/r/default/csp/enforce']
  }
end
adenta commented 6 years ago

+1 to @amingilani. I followed the above steps and they worked great.