Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
When embedding a Hubspot form in a website, Chrome is showing the following issues in Devtools:
Refused to frame app.hubspot.com because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
I tried several changes to my own site's Content Security Policy however I am sure this is because the Content-Security-Policy-Report-Only is incorrectly configures on the domain app.hubspot.com where this is the directive:
frame-ancestors 'self'; report-uri ...
As far as I understand how frame-ancestors works, this directive is basically saying that only app.hubspot.com can use the reporting API? However the idea of the Reporting API is that clients send their issues to it when an error or issues occrurs in their browser. Hence I believe the correct change to remove these errors in clients browsers would be to remove the frame-ancestorsdirective.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
I just redeployed an application reverting the code back to what it was before (no additional updates). All looks to be working fine. Please inform developers to "not" deploy script/security changes unless they run things through a test bed. This caused quite a bit of havoc. Thanks.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
We are also experiencing the same error in the console. I have read that a fix has been made but wondering if we have to create a new form and redeploy a new script?
Is there any documentation on this issue to help fix? Cheers!
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
Thank you for the confirmation. I appreciate it. I will let our support person know. The will truly just need to let the downstream apps handle security vs forcing top down...which in this case will not work at all. Thanks again.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
FYI, I'm working with David (support) on the issue. Just wanted to see if there were any others getting this. We get an error on all external sites that use the HS forms. No matter what I set locally (running on a laptop for example), this error will not go away. So assuming it's from the HS website.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
It looks like this issue may be back. We get this now on all external sites that use HubSpot forms: Refused to frame 'https://app.hubspot.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' app.hubspot.com".
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
We've had the same issue and it is causing problems with our google ads becasue the link is being rejected. Since there as been a fix, do we need to update our forms and reload?