Skip to main content

Using Fin Messenger with Content Security Policy

Which domains you'll need to allow in your CSP or firewall.

Updated over a month ago

If your website implements a Content Security Policy (CSP), you'll need to ensure it allows resources required by Fin Messenger to load properly. CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Below are the directives and values you should include in your policy to ensure full functionality of Fin Messenger across your product and website.

Required CSP directives

Fin Messenger fully supports Google strict CSPv3:

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'self';

If you are already serving this policy from your website, you don't need to apply any changes. Please also note that you will need to include some nonce-source(s) for some scripts being loaded by the Fin Messenger. You can refer to this tutorial for any help regarding the handling of nonces.

Source allowlisting

If you prefer to rely on source allowlisting (for example if you can't use CSPv2 or v3 features) here are relevant directives you'll need to use:

script-src:
  https://app.intercom.io
  https://widget.intercom.io
  https://js.intercomcdn.com

If you're applying other CSP directives, you'll need to add the following entries for Fin Messenger to function correctly:

connect-src:
  https://via.intercom.io
  https://api.intercom.io
  https://api.au.intercom.io
  https://api.eu.intercom.io
  https://api-iam.intercom.io
  https://api-iam.eu.intercom.io
  https://api-iam.au.intercom.io 
  https://api-ping.intercom.io
  https://*.intercom-messenger.com
  wss://*.intercom-messenger.com
  https://nexus-websocket-a.intercom.io
  wss://nexus-websocket-a.intercom.io
  https://nexus-websocket-b.intercom.io
  wss://nexus-websocket-b.intercom.io
  https://nexus-europe-websocket.intercom.io 
  wss://nexus-europe-websocket.intercom.io 
  https://nexus-australia-websocket.intercom.io
  wss://nexus-australia-websocket.intercom.io 
  https://uploads.intercomcdn.com
  https://uploads.intercomcdn.eu 
  https://uploads.au.intercomcdn.com 
  https://uploads.eu.intercomcdn.com
  https://uploads.intercomusercontent.com
 
child-src:
  https://intercom-sheets.com
  https://www.intercom-reporting.com 
  https://www.youtube.com
  https://player.vimeo.com
  https://fast.wistia.net

font-src:
  https://js.intercomcdn.com
  https://fonts.intercomcdn.com

form-action:
  https://intercom.help
  https://api-iam.intercom.io
  https://api-iam.eu.intercom.io
  https://api-iam.au.intercom.io 

media-src:
  https://js.intercomcdn.com
  https://downloads.intercomcdn.com
  https://downloads.intercomcdn.eu
  https://downloads.au.intercomcdn.com

img-src:
  blob:
  data:
  https://js.intercomcdn.com
  https://static.intercomassets.com
  https://downloads.intercomcdn.com
  https://downloads.intercomcdn.eu
  https://downloads.au.intercomcdn.com
  https://uploads.intercomusercontent.com
  https://gifs.intercomcdn.com 
  https://video-messages.intercomcdn.com
  https://messenger-apps.intercom.io
  https://messenger-apps.eu.intercom.io
  https://messenger-apps.au.intercom.io
  https://*.intercom-attachments-1.com
  https://*.intercom-attachments.eu
  https://*.au.intercom-attachments.com
  https://*.intercom-attachments-2.com
  https://*.intercom-attachments-3.com
  https://*.intercom-attachments-4.com
  https://*.intercom-attachments-5.com
  https://*.intercom-attachments-6.com
  https://*.intercom-attachments-7.com
  https://*.intercom-attachments-8.com
  https://*.intercom-attachments-9.com
  https://static.intercomassets.eu
  https://static.au.intercomassets.com
  
style-src:
  'unsafe-inline'


Also, if your service supports CSPv3 only, you'll need to use two separate entries for frame-src and worker-src in place of child-src, as this keyword is being deprecated.

Note:

  • The above entries are required for Fin Messenger's functionality to work properly in your app. Some of the integrations in our App Store may require you to add other entries to your CSP as well. If that's the case, you should see an error message in your browser's developer's console indicating that.

  • https://*.intercom-messenger.com and wss://*.intercom-messenger.com have been added to the connect-src directive to accommodate a broader and more scalable infrastructure for realtime communication in the Fin Messenger. These wildcard entries are necessary to support the upgrade and ensure the messenger can connect to multiple realtime endpoints dynamically.

Firewalls

Many of the above domains will also need to be allowed in your firewall settings to allow correct functioning of Fin Messenger.

Did this answer your question?