Live Helper Chat support forum.. Forum is locked. New place for questions - Github Discussions

You are not logged in.

Announcement

#1 2022-07-27 21:32:12

jamminjames
Member
Registered: 2022-02-24
Posts: 38

Going to Contact form blocked by CSP

The live chat is set to go to the Contact form after 60 seconds if no operator responds, but it just goes blank, unless visitor clicks the popup button (upper right).

It seems this may be caused by the Content Security Policy. However, we have that set to allow anything self-hosted. The error I'm seeing is:
"Content Security Policy: The page’s settings blocked the loading of a resource at https://subs.humortimes.com/livehelperc … /(theme)/1 (“default-src”). "

But since that page is within our domain, it should not be getting blocked, as we have the relevant policy set as "default-src 'self' "

How can this be fixed? Thanks!

Last edited by jamminjames (2022-07-27 22:18:17)

Offline

#2 2022-07-27 22:15:14

PeopleInside
Administrator
From: Italy
Registered: 2014-04-10
Posts: 4,046
Website

Re: Going to Contact form blocked by CSP

I'm unable to replicate in https://demo.livehelperchat.com
Maybe a video can help to better see what you are experiencing. Have you tried from a different browser and / or in incognito mode?


lol PeopleInside - Live helper chat - free limited forum support!
wink For commercial support or GitHub [see FAQ here]
ops If you want to support this open source project, just donate [see support page]
glasses Something wrong with the forum? [contact a superhero]

Offline

#3 2022-07-27 22:20:29

jamminjames
Member
Registered: 2022-02-24
Posts: 38

Re: Going to Contact form blocked by CSP

Please see my updated question. It's a CSP problem, but our CSP allows anything hosted on our site, so the question becomes, why is LHC violating the CSP? It shouldn't, as it is self-hosted.

Offline

#4 2022-07-27 22:26:01

PeopleInside
Administrator
From: Italy
Registered: 2014-04-10
Posts: 4,046
Website

Re: Going to Contact form blocked by CSP

So the chat widget is showed correctly but when user are redirected, in the same widget, to the contact form you get a blank page and the error on browser developer console?
This seems strange. Currently I have not an answer to this, have to look if I have the same issue on my website.


lol PeopleInside - Live helper chat - free limited forum support!
wink For commercial support or GitHub [see FAQ here]
ops If you want to support this open source project, just donate [see support page]
glasses Something wrong with the forum? [contact a superhero]

Offline

#5 2022-07-27 22:33:06

PeopleInside
Administrator
From: Italy
Registered: 2014-04-10
Posts: 4,046
Website

Re: Going to Contact form blocked by CSP

About this issue I tested on my website and no issue was present.
So I'm unable to repriduce also on my server means you have some server configuration somewhere or you miss some rules configuration.

1. be sure to use the latest live helper chat version
2. check the following topic: https://forum.livehelperchat.com/viewtopic.php?id=2195 they may help you.

If you still have issue about this I think the only help avaiable will be maybe the commercial one, not done by me but done by the developer.
I don't think the developer can help you here to resolve this. You can try to wait here for an answer.


lol PeopleInside - Live helper chat - free limited forum support!
wink For commercial support or GitHub [see FAQ here]
ops If you want to support this open source project, just donate [see support page]
glasses Something wrong with the forum? [contact a superhero]

Offline

#6 2022-07-28 01:21:49

jamminjames
Member
Registered: 2022-02-24
Posts: 38

Re: Going to Contact form blocked by CSP

I hope the developer can help with this. For our CSP, we use nonces. Since LHC creates script urls on the fly (I assume for security purposes), with addresses like the one noted at the start of this thread ("https://subs.humortimes.com/livehelperc … /(theme)/1"), we can't create a nonce for LHC's scripts. So we have a separate policy set up for anything in the /livehelperchat directories, and it works, except for this one issue.

The policy we have to set up for livehelperchat is very permissive ("default-src 'self' 'unsafe-inline';" etc), so it would be better if we could do something that would allow LHC to insert our nonce when it calls for a script. If the developer can help with that issue, it would really be the most secure way to go.

Thanks for any help.

Offline

Board footer