## Version info - intercom-rails version: 0.4.2 - Rails version: 7.0.5 ## Expected behavior Both should be true depending on how you use `intercom-rails`: 1. If doing manual insertion with `intercom_script_tag`: The `intercom_script_tag.csp_sha256` should match the hash of the script injected into the HTML 2. If doing automatic insertion: The `sha256` in the hook described [in the CSP section of the readme](https://github.com/intercom/intercom-rails#content-security-policy-level-2-csp-support) `def self.csp_sha256_hook(controller, sha256)` should match the hash of the script injected into the HTML ## Actual behavior The browser reports ``` Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution. ``` There are `CDATA` tags surrounding the script resulting in the hash generated by `intercom-rails` not matching the browser's hash of the script: <img width="648" alt="Screenshot 2023-06-27 at 13 02 25" src="https://github.com/intercom/intercom-rails/assets/965124/4ad31dc6-3741-48ff-a9f3-f097b162f347"> I verified that if I take a manual sha256 hash with the CDATA tags included it does match the hash reported by the browser. ## Steps to reproduce 1. Configure standard `intercom-rails` integration 2. Enable rails CSP and set `config.content_security_policy_report_only = false` 3. Setup the [Content Security Policy hooks](https://github.com/intercom/intercom-rails#content-security-policy-level-2-csp-support) for sha256 header appending 4. Load the app and notice the browser reports it cannot execute the intercom script ## Logs ``` Refused to execute inline script because it violates the following Content Security Policy directive: [...] Either the 'unsafe-inline' keyword, a hash ('sha256-0wDuHgTA8dC7F+INUiUehCTAmoC3UVFkJl6ECD9w+iY='), or a nonce ('nonce-...') is required to enable inline execution. ```