We’re in the process of configuring Content Security Policy headers for our product, and one of the violations being highlighted is the inline styling used by the help widget we’ve integrated with our webapp.
Looking into the (obfuscated) javascript source, I can see that there is support to include a nonce value for the style tags, but I cannot figure out how to pass that value in, and the feature appears to be undocumented.
Please could someone on the dev side there let me know how to go about passing-in our server-generated nonce value? Is it via window.fwSettings for example?
We had this further checked with our product team, wherein I’m afraid the option to add nonce parameter to a help widget is not available as an option currently in the Freshdesk help widget.
However we have raised this as a feature enhancement in the help widget, for passing the nonce parameters in the widget. Based on the roadmap implementation of the same, we will keep you updated on this.
this measure can help many of us secure our web applications from XSS attacks.
this measure can help many of us secure our web applications from XSS attacks.