Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsersSOLVE
Jan 18, 2021 6:56 AM
When embedding a Hubspot form in a website, Chrome is showing the following issues in Devtools:
Refused to frame app.hubspot.com because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
I tried several changes to my own site's Content Security Policy however I am sure this is because the Content-Security-Policy-Report-Only is incorrectly configures on the domain app.hubspot.com where this is the directive:
frame-ancestors 'self'; report-uri ...
As far as I understand how frame-ancestors works, this directive is basically saying that only app.hubspot.com can use the reporting API? However the idea of the Reporting API is that clients send their issues to it when an error or issues occrurs in their browser. Hence I believe the correct change to remove these errors in clients browsers would be to remove the frame-ancestorsdirective.
More information is available here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
Solved! Go to Solution.
Mar 15, 2021 4:11 PM
OK everyone, I have been told that a fix has been deployed. Let me know what you all are seeing out there now 😀
|We are excited to announce that the Community will be launching a weekly newsletter on November 2, 2020!|
Sign up today!