APIs & Integrations

AndrewHo
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

When embedding a Hubspot form in a website, Chrome is showing the following issues in Devtools:

 

Refused to frame app.hubspot.com because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

 

I tried several changes to my own site's Content Security Policy however I am sure this is because the Content-Security-Policy-Report-Only is incorrectly configures on the domain app.hubspot.com where this is the directive:

 

frame-ancestors 'self'; report-uri ...

 

As far as I understand how frame-ancestors works, this directive is basically saying that only app.hubspot.com can use the reporting API? However the idea of the Reporting API is that clients send their issues to it when an error or issues occrurs in their browser. Hence I believe the correct change to remove these errors in clients browsers would be to remove the frame-ancestorsdirective.

 

More information is available here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

1 Accepted solution
dennisedson
Solution
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

OK everyone, I have been told that a fix has been deployed.  Let me know what you all are seeing out there now 😀


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

View solution in original post

44 Replies 44
AlbertoSM
Participant | Gold Partner
Participant | Gold Partner

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

It works now, thank you!

dennisedson
Solution
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

OK everyone, I have been told that a fix has been deployed.  Let me know what you all are seeing out there now 😀


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

Swarnendu
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Is this happening again? 

https://outplayhq.com/meeting-with-outplay

0 Upvotes
Swarnendu
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Pls help here? The iframe of hubspot meetings embed is not loading

0 Upvotes
MHamlin
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Did this issue get un-fixed? 🙂 'm getting this error today.

0 Upvotes
FFraga
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

it seems to be all good now, thanks!

AlbertoSM
Participant | Gold Partner
Participant | Gold Partner

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

I have the same issue. Any news?

0 Upvotes
dennisedson
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

@AlbertoSM , not yet, but I do know that it is being worked on.


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

0 Upvotes
philipcron
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Same situation here. I tried to update things on my end but it did not fix the issue. Hoping for a fix on HubSpot's side.

https://kpstaffing.com/ 

0 Upvotes
CAndres
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

@dennisedson This seems like it can only be fixed on HubSpot's side. 
Could you confirm if HubSpot acknowledges that's the case and if they plan to work on a fix? 




dennisedson
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Hey all, The team is looking into this.  I will report back when I have an update.


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

Jeff_videommerc
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Hi Dennis, did you solve this issue? now even the messages are not delivered via HubSpot forms

dennisedson
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

The team is looking into it.  Will report back when I have confirmed the resolution


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

Dpontarelli
Participant | Gold Partner
Participant | Gold Partner

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Hello, we're having the exact same issue with the Content Security policy. Has anyone resolved this yet? 

04705
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Same issue is causing your scripts such as forms.hubspot.com from loading in Firefox, Chrome and Safari (browsers detecting it as an invalid CORS request and blocking it), because of this our lead captures from forms aren't working.

GCiampa
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

I am having this same issue! Has anyone managed to resolve it?

0 Upvotes
GCiampa
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Hi all, we managed to resolve this issue. In our case, it was because our site did not support iframes. Every Hubspot code is essentially, in an iframe. It took some work form our developer but it was a pretty quick fix.

IWatt
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

That's great news, GCiampa. Could your developer provide any guidance as to what the fix was? We are really struggling here with this same issue and would love to see if we could replicate your approach.

dennisedson
Community Manager
Community Manager

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

The best bet would be work with your site admin to update the content security policy

Here is some documentation on it.


HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

0 Upvotes
tinyfly
Participant

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

The original poster is correct, this needs to be handled by Hubspot. The frame-ancestors content security policy setting is on Hubspot's side to change. In Hubspot's CSP for `https://app.hubspot.com/` frame-ancestors is set to 'self'. This means that `https://app.hubspot.com` is only allowed to be loaded on app.hubspot.com itself and not in an iframe on any other domains.

 

However, when you use the form embed code it tries to load `https://app.hubspot.com/forms-next-v2-captcha` as part of the payload. So this either needs to be moved to another domain that is allowed to be embedded in iframes or remove the frame-ancestors directive from the app.hubspot.com CSP.

FFraga
Member

Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

SOLVE

Hi, I'm having the same issue. Page: https://www.kaimaging.com/medical-solutions/reveal-35c-medical/

Content Security Policy of your site blocks some resources because their origin is not included in the content security policy header

 

How's the best way to solve this?