how to add third part chatbot code into shopify app node js express js.

how to add third part chatbot code into shopify app node js express js.

1080
Shopify Partner
301 9 64

Hi All,


I want to add the freshdesk chatbot into the app, i am facing error with CSP violation.
Error :  
Refused to load the script 'https://ind-widget.freshworks.com/widgets/XXX.js' because it violates the following Content Security Policy directive: "default-src 'self' https://*.googleapis.com https://*.myshopify.com https://*.shopify.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://yourdomainname.com https://*.googleapis.com https://*.gstatic.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

```
setHeader and append header create multiple entry. in header response. 
```
app stack node js express and react.

how to add the any third part code into the app.

Replies 2 (2)

EcomGraduates
Shopify Partner
735 63 105

hello there 

 

The error message you're seeing indicates that the script you're trying to load violates the Content Security Policy (CSP) of your app. CSP is a security feature in web browsers that helps prevent cross-site scripting (XSS) attacks.

To resolve this issue, you'll need to update your app's CSP to allow the script to be loaded. Here's how you can do it:

  1. Identify the CSP directives that are causing the error. In this case, the error message indicates that the default-src directive is being used, and that the script being loaded violates it.

  2. Add the necessary domains to the default-src directive to allow the script to be loaded. Based on the error message, you'll need to add https://ind-widget.freshworks.com to the default-src directive.

  3. Update your app's CSP using the helmet middleware in your Node.js/Express app. The helmet middleware provides a convenient way to set various security-related HTTP headers, including the CSP header.

Here's an example of how you can update your app's CSP using helmet:

 

const express = require('express');
const helmet = require('helmet');

const app = express();

// Use the helmet middleware to set the CSP header
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: [
        "'self'",
        "https://*.googleapis.com",
        "https://*.myshopify.com",
        "https://*.shopify.com",
        "https://*.googletagmanager.com",
        "https://*.google-analytics.com",
        "https://s.ytimg.com",
        "https://www.youtube.com",
        "https://yourdomainname.com",
        "https://*.googleapis.com",
        "https://*.gstatic.com",
        "https://*.w.org",
        "data:",
        "'unsafe-inline'",
        "'unsafe-eval'",
        "https://ind-widget.freshworks.com"
      ]
    }
  })
);

// Your app routes and middleware go here

 


If this fixed your issue, likes and accepting as a solution are highly appreciated.

Build an online presence with our custom built Shopify Theme EcomifyTheme




1080
Shopify Partner
301 9 64

@EcomGraduates  i have using the node inbuilt function.

res.setHeader('Content-Security-Policy', ""
I was able to load. the freshdesk widget.  but this was the issue with the app review validation.  app get rejected.