Widget creates errors: Content Security Policy

I've added the widget in webpage. When I open Chrome - Inspect - Console, I see the following error:

Refused to load the script 'https://widget.freshworks.com/widgets/xxxxxxxxxxx.js' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

(I changed our number to xxxxxxxxxxx)

 

This is the content of a testpage:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head id="Head1" runat="server">

</head>

<body>

TEST<BR>

<script>

 window.fwSettings={

 'widget_id':xxxxxxxxxxx

 };

 !function(){if("function"!=typeof window.FreshworksWidget){var n=function(){n.q.push(arguments)};n.q=[],window.FreshworksWidget=n}}() 

</script>

<script type='text/javascript' src='https://widget.freshworks.com/widgets/xxxxxxxxxxx.js' async defer></script>

</body>

</html>

 

 

I tried adding:

 

<meta http-equiv="Content-Security-Policy" content="default-src 'self' widget.freshworks.com">

 

I only get more errors.  


Could someone help me out? I'm not a webdeveloper (clearly), but I assume this widget needs a (almost) standard set of the Content Security Policy (CSP)?

 



1 person likes this idea

Apologies for the double post!

This is a problem for us as well. For now we've added the generated hash code to our content security policy, but presumably that hashcode will change if Freshdesk changes the widget code, so is not a good long term solution. Freshdesk, please address this, is there some way to get this to work other than hashcode (or allowing unsafe-inline)?

Thanks

@Ed O'Connor-Giles: Could you give me an example of what to add to the content security policy? It would help me out for now.

Thank you!

I'm no security expert, so take this with a grain of salt, but one approach you can take is to determine the hash of the Freshdesk code and allow that in your CSP. You can actually easily find the hash in the error message within the javascript console of your browser when it fails to execute the script. This article seems to have some good information, look especially at the 'Using Hashes' section for an example of what I'm talking about, though you may find the whole article helpful: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

Best

-Ed

Hello there,


Apologies for the delay in response!


We'd require more information on this as the same is not reproducible at our end. Can you try to implement the widget in different browsers and write to support(at)freshdesk.com with your findings?  Our support folks can have this checked with our developers and keep you posted. 


Cheers!