Help widget CSP nonce

We’re in the process of configuring Content Security Policy headers for our product, and one of the violations being highlighted is the inline styling used by the help widget we’ve integrated with our webapp.

Looking into the (obfuscated) javascript source, I can see that there is support to include a nonce value for the style tags, but I cannot figure out how to pass that value in, and the feature appears to be undocumented.

Please could someone on the dev side there let me know how to go about passing-in our server-generated nonce value? Is it via window.fwSettings for example?

Many thanks in advance for you help with this.

Hey @bendilley,

Welcome to the Freshworks Developer Community! :tada:

I see that there is a support ticket about this, and the Freshdesk support team would be the ideal resource for helping you with widgets.

To share the support response with the community:

We had this further checked with our product team, wherein I’m afraid the option to add nonce parameter to a help widget is not available as an option currently in the Freshdesk help widget.

However we have raised this as a feature enhancement in the help widget, for passing the nonce parameters in the widget. Based on the roadmap implementation of the same, we will keep you updated on this.

:crossed_fingers: this measure can help many of us secure our web applications from XSS attacks.

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.