Problem with BrowserPolicy and Zopim


#1

I am using BrowserPolicy to secure my project form cross-site scripting.
This is my configuration:

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.allowFontDataUrl();

I am also using Zopim for customer support.
I added the following line to allow scripts from Zopim:

BrowserPolicy.content.allowOriginForAll("https://v2.zopim.com/")

index.html :

  <script type="text/javascript">
    var ua = navigator.userAgent.toLowerCase(),
    platform = navigator.platform.toLowerCase();
    platformName = ua.match(/ip(?:ad|od|hone)/) ? 'ios' : (ua.match(/(?:webos|android)/) || platform.match(/mac|win|linux/) || ['other'])[0],
    isMobile = /ios|android|webos/.test(platformName);
    if (!isMobile) {
      window.$zopim||(function(d,s){var z=$zopim=function(c){z._.push(c)},$=z.s=
      d.createElement(s),e=d.getElementsByTagName(s)[0];z.set=function(o){z.set.
      _.push(o)};z._=[];z.set._=[];$.async=!0;$.setAttribute("charset","utf-8");
      $.src="//v2.zopim.com/?xxxxxxxxxxxxxx";z.t=+new Date;$.
      type="text/javascript";e.parentNode.insertBefore($,e)})(document,"script");
    }
  </script>

But it does not work. Zopim gets blocked.
Has anyone tried this? Can anyone spot what I am missing?

cheers
godo


#2

Try removing the above line.