Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
When embedding a Hubspot form in a website, Chrome is showing the following issues in Devtools:
Refused to frame app.hubspot.com because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
I tried several changes to my own site's Content Security Policy however I am sure this is because the Content-Security-Policy-Report-Only is incorrectly configures on the domain app.hubspot.com where this is the directive:
frame-ancestors 'self'; report-uri ...
As far as I understand how frame-ancestors works, this directive is basically saying that only app.hubspot.com can use the reporting API? However the idea of the Reporting API is that clients send their issues to it when an error or issues occrurs in their browser. Hence I believe the correct change to remove these errors in clients browsers would be to remove the frame-ancestorsdirective.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
@dennisedson This seems like it can only be fixed on HubSpot's side. Could you confirm if HubSpot acknowledges that's the case and if they plan to work on a fix?
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
Same issue is causing your scripts such as forms.hubspot.com from loading in Firefox, Chrome and Safari (browsers detecting it as an invalid CORS request and blocking it), because of this our lead captures from forms aren't working.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
Hi all, we managed to resolve this issue. In our case, it was because our site did not support iframes. Every Hubspot code is essentially, in an iframe. It took some work form our developer but it was a pretty quick fix.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
That's great news, GCiampa. Could your developer provide any guidance as to what the fix was? We are really struggling here with this same issue and would love to see if we could replicate your approach.
Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers
SOLVE
The original poster is correct, this needs to be handled by Hubspot. The frame-ancestors content security policy setting is on Hubspot's side to change. In Hubspot's CSP for `https://app.hubspot.com/` frame-ancestors is set to 'self'. This means that `https://app.hubspot.com` is only allowed to be loaded on app.hubspot.com itself and not in an iframe on any other domains.
However, when you use the form embed code it tries to load `https://app.hubspot.com/forms-next-v2-captcha` as part of the payload. So this either needs to be moved to another domain that is allowed to be embedded in iframes or remove the frame-ancestors directive from the app.hubspot.com CSP.