Answered

CSP: allowing form submissions to Typeform via Intercom integration

  • 15 May 2023
  • 9 replies
  • 283 views
J
Userlevel 1

We are attempting to use the typeform-intercom integration to gather user feedback. For some reason our CSP is blocking the form submissions to typeform and I cannot figure out why. I have updated the form-action entry in the CSP to include `*.intercom-integration.typeform.com/`, but yet it is still being blocked. Has anyone else run into tis issue? Has anyone been able to update their CSP to correctly allow this form submission?

 

The error we are getting:

Refused to send form data to 'https://intercom-integration.typeform.com/intercom/renderForm?form_url=https://eva368832.typeform.com/to/Ur2MA5&sheet_title=Request%20a%20new%20ingredient&form_id=Ur2MA5' because it violates the following Content Security Policy directive: "form-action 'self' *.intercom-integration.typeform.com/ *.intercomcdn.com/".

Refused to send form data to 'https://intercom-integration.typeform.com/intercom/renderForm?form_url=https://eva368832.typeform.com/to/Ur2MA5&sheet_title=Request%20a%20new%20ingredient&form_id=Ur2MA5' because it violates the following Content Security Policy directive: "form-action 'self' *.intercom-integration.typeform.com/ *.intercomcdn.com/".
 

icon

Best answer by mathio 16 May 2023, 20:37

View original

9 replies

Grace
Rank
Userlevel 7
Badge +5

Hey @juliabuckley thanks for stopping by and sharing this, just wondering if maybe @mathio or @picsoung might know the answer 🤔

If cauliflower can become pizza, you my friend can do anything
mathio
Rank
Userlevel 7
Badge +5

Hi @juliabuckley, I am sorry but I have no experience with this integration.

However I fount this CSP docs on form-action and it says some browser might block redirects after form submissions. Could this be the case? In case you are experiencing the issue in Chrome, can you please check with Firefox to rule this out?

J
Userlevel 1

This is the integration we are using: https://www.typeform.com/blog/news/intercom-integration/

 

I don’t believe it has to do with a redirect, because we are just loading the form and not sending the user out of our application at all, and the CSP warning is saying it is refusing to load the form. I tried in Safari and had the same issue there, unfortunately. It is super confusing because I believe I should just be able to add `intercom-integration.typeform` to the allowed source list in the form-action directive of the CSP and it should work.  So I guess I am just grasping t straws and hoping someone has advice 

Liz
Rank
Userlevel 7
Badge +5

Hi @juliabuckley Could you share the URL where you have Typeform/Intercom so we can take a look? I haven’t seen this either, but it might be helpful to see the form within Intercom live, if possible. 

Life is a series of awkward moments separated by snacks.
J
Userlevel 1

Unfortunately you won’t be able to access the page without an account. But here is a screenshot of how we are using intercom in our application. When the user clicks on the “Get Started” button a form from typeform is supposed to load within this little intercom embed. What actually happens is it loads a blank white view.  Not sure if this is helpful or not?

 

 

This is what I see in the console:

 

mathio
Rank
Userlevel 7
Badge +5

I see the message says:

Refused to send form data to 'https: //intercom-integration.typeform.com/intercom/renderForm?form url=http...m.com/to/Ur2MA5&sheet title=Req uest%20a820new%20ingredient&form id=Ur2MA5' because it violates the following Content Security Policy directive: "form-action 'self'".

 

This looks like the domain https://intercom-integration.typeform.com/  is not in your CSP header.

However I have also noticed in your first post you mentioned adding this domain to your CSP headers: *.intercom-integration.typeform.com/

Can you try with https://intercom-integration.typeform.com/ since there is no leading dot in the URL.

J
Userlevel 1

I was able to resolve the issue by setting the form-action directive as follows:

'form-action': https://intercom-integration.typeform.com/intercom/ 'self'

For some reason leaving out the https:// was not successful

J
Userlevel 1

@mathio Thanks! Yes I clearly was messing that up, thanks for pointing out =)

mathio
Rank
Userlevel 7
Badge +5

I think using *.intercom-integration.typeform.com/ expects to be there another value separated by dot before - eg. something.intercom-integration.typeform.com/ which is not the case. Using value intercom-integration.typeform.com/ might work as well, but I dont think you need to support other than https protocol.

Happy to help. Sometimes all you need is a second pair of eyes 😃 Happens to everybody.

Reply


Still need help?

Don't be shy and ask the community.

Ask your question here!
Community T&Cs