CDATA in intercom_script_tag results in the csp_sha256 mismatch and a failing CSP

[baueric]

Version info

• intercom-rails version: 0.4.2
• Rails version: 7.0.5

Expected behavior

Both should be true depending on how you use intercom-rails:

1. If doing manual insertion with intercom_script_tag: The intercom_script_tag.csp_sha256 should match the hash of the script injected into the HTML
2. If doing automatic insertion: The sha256 in the hook described in the CSP section of the readme def self.csp_sha256_hook(controller, sha256) should match the hash of the script injected into the HTML

Actual behavior

The browser reports

Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.

There are CDATA tags surrounding the script resulting in the hash generated by intercom-rails not matching the browser's hash of the script:

I verified that if I take a manual sha256 hash with the CDATA tags included it does match the hash reported by the browser.

Steps to reproduce

1. Configure standard intercom-rails integration
2. Enable rails CSP and set config.content_security_policy_report_only = false
3. Setup the Content Security Policy hooks for sha256 header appending
4. Load the app and notice the browser reports it cannot execute the intercom script

Logs

Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution.

[shivam-chahar]

I'm facing the same issue, @baueric were you able to resolve this?

[baueric]

@shivam-chahar a simple solution I used is taking the hash manually of intercom_script_tag and adding it to my CSP.

[shivam-chahar]

@baueric Thanks, Eric. I'll try that out 🚀