topic Getting CSP errors even after allowlisting Hubspot Tracking Code on web product in APIs & Integrations

Getting CSP errors even after allowlisting Hubspot Tracking Code on web product

HBaranwal — Fri, 05 Aug 2022 18:51:41 GMT

The problem we are facing when adding HubSpot scripts and functionality to our web product is that they are loaded from various domains and sub-domains. I have a CSP in place for security reasons, so all scripts, iframe, form, image sources, etc., need to be put on the allowlist before they're loaded.

I'm sure there's a good reason why the scripts come from so many different domains, but every time we put one domain on the allowlist, it shows another domain on the network window while inspecting. Can I get a list of all possible domains/subdomains needed to allowlist to resolve the CSP error and track all the functionalities of the Hubspot script, or could someone tell me a workaround? As of right now, the process of allowlisting is full of friction.

Re: Getting CSP errors even after allowlisting Hubspot script on web product

Jaycee_Lewis — Fri, 05 Aug 2022 17:02:38 GMT

Hi, @HBaranwal 👋 Welcome to the community. Hey, @himanshurauthan @JBeatty @miljkovicmisa have you ever solved for this or a similar issue?

Thank you for taking a look! — Jaycee

Re: Getting CSP errors even after allowlisting Hubspot script on web product

himanshurauthan — Wed, 31 Aug 2022 10:23:19 GMT

Hello @Jaycee_Lewis,thank you for tagging me in! Sure I would love to give it a try.

So @HBaranwal I would suggest you try the following:

script-src

https://*.hubspot.com

https://js.hscollectedforms.net

https://js.hsadspixel.net

https://*.hs-scripts.com

https://js.hs-banner.com

https://js.hs-analytics.net

https://forms.hsforms.com

https://*.usemessages.com

img-src

https://*.hsforms.com

https://*.hubspot.com

connect-src

https://*.hubspot.com

https://*.hubapi.com

frame-src

https://*.hubspot.com

I hope this will resolve your problem!

Regards,

Re: Getting CSP errors even after allowlisting Hubspot script on web product

THC — Mon, 07 Aug 2023 06:18:56 GMT

Hi @himanshurauthan ,

I hope you are doing well.

I am facing a similar issue myself with the CSP header. My question is: how can we update the CSP header in the Domain security settings? Whenever I add the code to the CSP, my site throws errors and breaks. I want to narrow down the CSP to avoid broad issues in my domain. To achieve this, I need to add 'object-src' and 'script-src' directives to 'self', limiting the handling of objects and scripts to only those on my own domain, or specifying trusted domains.

I've read and understood an article about setting up the CSP header, but it's too confusing for me to implement on my domain. Could you please guide me through this issue? Your help would be greatly appreciated.