Embedding the ASAP Add-On on Sites with a Content Security Policy

Embedding the ASAP Add-On on Sites with a Content Security Policy

Injection-based attacks are some of the most severe and harmful security threats that websites/web apps face. Having a Content Security Policy (CSP) is a powerful way to guard against such attacks. If your website/app has a CSP with the script-src directive, you will not be able to embed the ASAP add-on using just the code snippet on the ASAP setup page. You need to modify the code a bit to make it happen.

Here's what you need to do.

To accommodate the ASAP add-on, the CSP must permit the execution of the ASAP snippet, which can be achieved by implementing the following steps:

Step 1: Generate a nonce value from your web browser.

Step 2: Pass the nonce value to the script-src directive of the Content-Security-Policy header, as follows:

Content-Security-Policy: script-src 'nonce-{place_the_unique_nonce_value_here}';


Step 3: Pass the same nonce value to the script attribute in the ASAP code snippet.

<script nonce="{place_the_unique_nonce_value_here}" type="text/javascript"  src="https://desk.zoho.com/portal/api/web/inapp/102108000003860037?orgId=56965841%22  defer></script>

The ASAP add-on subsequently passes on the nonce value to any scripts that it adds to the page.

    • Related Articles

    • Generating nonces for the ASAP add-on

      Suppose your website or mobile app has a CSP (Content Security Policy) with script-src (a directive that controls a set of script-related privileges). In that case, you will not be able to embed the ASAP add-on using the regular code snippet. You ...

    • Working with the ASAP SDK for iOS

      SDK v2.0 Introduction The ASAP SDK for iOS makes help available within quick reach for the end-users of your iOS app. Using this SDK, you can create and customize an add-on that resides within your app and provides end-users with easy access to your: ...

    • Working with the ASAP Add-On for the Web

      Introduction The ASAP add-on for websites makes your help center available within quick reach for your end-customers. By integrating this add-on with your website, you can provide your customers with easy access to your:  Customer support team (to ...

    • Working with the ASAP Add-Ons for Mobile Platforms

      The ASAP SDKs for mobile platforms--iOS and Android--make help available within quick reach for the end-users of your mobile apps. Using these SDKs, you can create and customize add-ons that reside within your app and provide end-users with easy ...

    • Working with the ASAP SDK for React Native

      The ASAP SDK for React Native makes help available within quick reach for the end-users of your mobile app. Using this SDK, you can add and customize an add-on that resides within your iOS/Android app and provides end-users with easy access to your: ...