From f88e49cedee37f1d6f53010697d0917d5120d320 Mon Sep 17 00:00:00 2001 From: Benoit Serrano Date: Wed, 25 Sep 2024 16:13:12 +0200 Subject: [PATCH] add crisp widget --- assets/js/crisp.js | 9 +++++++++ src/index.ts | 38 ++++++++++++++++++++++++++++++++----- src/views/partials/head.ejs | 2 ++ 3 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 assets/js/crisp.js diff --git a/assets/js/crisp.js b/assets/js/crisp.js new file mode 100644 index 000000000..79fcb4c2e --- /dev/null +++ b/assets/js/crisp.js @@ -0,0 +1,9 @@ +window.$crisp = []; +window.CRISP_WEBSITE_ID = "d1d5816e-314a-45e4-9715-144347b1039a"; +(function () { + d = document; + s = d.createElement("script"); + s.src = "https://client.crisp.chat/l.js"; + s.async = 1; + d.getElementsByTagName("head")[0].appendChild(s); +})(); diff --git a/src/index.ts b/src/index.ts index f747b9bd2..b39874cde 100644 --- a/src/index.ts +++ b/src/index.ts @@ -78,11 +78,39 @@ if (!DISABLE_SECURITY_RESPONSE_HEADERS) { const cspConfig = { directives: { defaultSrc: ["'self'"], - imgSrc: ["'self'", "data:", "stats.data.gouv.fr"], - connectSrc: ["'self'", "stats.data.gouv.fr"], - scriptSrc: ["'self'", "stats.data.gouv.fr"], - styleSrc: ["'self'"], - fontSrc: ["'self'", "data:"], + imgSrc: [ + "'self'", + "data:", + "stats.data.gouv.fr", + "client.crisp.chat", + "image.crisp.chat", + "storage.crisp.chat", + ], + connectSrc: [ + "'self'", + "stats.data.gouv.fr", + "wss://client.relay.crisp.chat", + "client.crisp.chat", + "storage.crisp.chat", + "wss://stream.relay.crisp.chat", + ], + scriptSrc: [ + "'self'", + "stats.data.gouv.fr", + "settings.crisp.chat", + "blob:", + ], + styleSrc: ["'self'", "client.crisp.chat", "'unsafe-inline'"], + fontSrc: ["'self'", "data:", "client.crisp.chat"], + mediaSrc: ["'self'", "client.crisp.chat"], + frameSrc: ["'self'", "game.crisp.chat"], + + scriptSrcElem: [ + "'self'", + "client.crisp.chat", + "'sha256-RtdC0WqE+hX0MgZZk4QgMbkV1woYKbsuKQKKnWxsudI='", + ], + workerSrc: ["'self'", "blob:"], // As for https://github.com/w3c/webappsec-csp/issues/8, the feature is debated // and seems not useful for open id provider redirection. // We bypass this security for now. diff --git a/src/views/partials/head.ejs b/src/views/partials/head.ejs index d21e2af0a..4be27208b 100644 --- a/src/views/partials/head.ejs +++ b/src/views/partials/head.ejs @@ -27,6 +27,8 @@ + +