Embedding the ASAP Add-On on Sites with a Content Security Policy

Embedding the ASAP Add-On on Sites with a Content Security Policy

Injection-based attacks are some of the most severe and harmful security threats that websites/web apps face. Having a Content Security Policy (CSP) is a powerful way to guard against such attacks. If your website/app has a CSP with the script-src directive, you will not be able to embed the ASAP add-on using just the code snippet on the ASAP setup page. You need to modify the code a bit to make it happen.

Here's what you need to do.

To accommodate the ASAP add-on, the CSP must permit the execution of the ASAP snippet, which can be achieved by implementing the following steps:

Step 1: Generate a nonce value from your web browser.

Step 2: Pass the nonce value to the script-src directive of the Content-Security-Policy header, as follows:

Content-Security-Policy: script-src 'nonce-{place_the_unique_nonce_value_here}';


Step 3: Pass the same nonce value to the script attribute in the ASAP code snippet.

<script nonce="{place_the_unique_nonce_value_here}" type="text/javascript"  src="https://desk.zoho.com/portal/api/web/inapp/102108000003860037?orgId=56965841%22  defer></script>

The ASAP add-on subsequently passes on the nonce value to any scripts that it adds to the page.