Content-Security-Policy-Report-Only from app.hubspot.com is reporting errors to browsers

AndrewHo · ‎Jan 18, 2021

When embedding a Hubspot form in a website, Chrome is showing the following issues in Devtools:

Refused to frame app.hubspot.com because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

I tried several changes to my own site's Content Security Policy however I am sure this is because the Content-Security-Policy-Report-Only is incorrectly configures on the domain app.hubspot.com where this is the directive:

frame-ancestors 'self'; report-uri ...

As far as I understand how frame-ancestors works, this directive is basically saying that only app.hubspot.com can use the reporting API? However the idea of the Reporting API is that clients send their issues to it when an error or issues occrurs in their browser. Hence I believe the correct change to remove these errors in clients browsers would be to remove the frame-ancestorsdirective.

More information is available here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

dennisedson · ‎Mar 15, 2021

OK everyone, I have been told that a fix has been deployed. Let me know what you all are seeing out there now 😀

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

View solution in original post

DJenner2 · ‎Apr 15, 2025

Hi team, I'm running into a similar issue when deploying the HS chat on my site, here's the CSP error I'm seeing:

Refused to frame 'https://app.hubspot.com/' because it violates the following Content Security Policy directive: "frame-src 'self'

And the site: https://salesbot.io

About half of my time reports the widget doesn't load, and for the other half it does. Similar browsers. Any thoughts?

VitaliiPlooto · ‎Dec 8, 2022

I have the same issue with https://share.hsforms.com/

And it was working fine few days ago but now I have this:

KNickolay · ‎Mar 31, 2022

I am also having this issue today-- any updates?

DHrncir · ‎Apr 1, 2022

Looks as though it is working within our apps as of right now.

SKhegai · ‎Dec 28, 2021

I'm still getting this error.
Here is the test:
https://dev.basedigital.io/hubspot/

DHrncir · ‎Nov 1, 2021

I just redeployed an application reverting the code back to what it was before (no additional updates). All looks to be working fine. Please inform developers to "not" deploy script/security changes unless they run things through a test bed. This caused quite a bit of havoc. Thanks.

dennisedson · ‎Oct 28, 2021

A fix has been deployed. Please feel free to reach out if the issue persists.

Thanks for notifying us!

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

Unimprobable · ‎Oct 27, 2021

I am also seeing this issue.

DStineback · ‎Oct 26, 2021

We are also experiencing the same error in the console. I have read that a fix has been made but wondering if we have to create a new form and redeploy a new script?

Is there any documentation on this issue to help fix? Cheers!

dennisedson · ‎Oct 27, 2021

Hey all, I am looking into this

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

dennisedson · ‎Oct 28, 2021

As an update, the team has discovered the reason this is occurring and is working on a fix

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

austinkimhale · ‎Oct 26, 2021

Echoing what others are saying. We are seeing the same issue again. Seems to be a regression.

ZGilbert5 · ‎Oct 25, 2021

We are seeing this issue as well.

DHrncir · ‎Oct 25, 2021

Thank you for the confirmation. I appreciate it. I will let our support person know. The will truly just need to let the downstream apps handle security vs forcing top down...which in this case will not work at all. Thanks again.

DHrncir · ‎Oct 25, 2021

FYI, I'm working with David (support) on the issue. Just wanted to see if there were any others getting this. We get an error on all external sites that use the HS forms. No matter what I set locally (running on a laptop for example), this error will not go away. So assuming it's from the HS website.

DHrncir · ‎Oct 25, 2021

It looks like this issue may be back. We get this now on all external sites that use HubSpot forms: Refused to frame 'https://app.hubspot.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' app.hubspot.com".

JCusick · ‎May 27, 2021

We are still dealing with this issue. Is there a hard date when this will be fixed @dennisedson?

dennisedson · ‎May 27, 2021

@JCusick , this should be resolved as a fix was deployed. If you are still experiencing issues here, I would recommend contacting support directly.

If you do, please reference this thread in your request

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

EFinnestead · ‎Mar 23, 2021

We've had the same issue and it is causing problems with our google ads becasue the link is being rejected. Since there as been a fix, do we need to update our forms and reload?

dennisedson · ‎Mar 24, 2021

@EFinnestead , I don't think there is anything that needs to be done on your end 😀

HubSpot’s AI-powered customer agent resolves up to 50% of customer queries instantly, with some customers reaching up to 90% resolution rates.
Learn More.

APIs & Integrations