Content Security Policy and Embedded Hubspot Forms
SOLVE
Hey all, we are working to deploy a more robust CSP for one of our sites. This site hosts a hubspot form, and this form is loaded via inline JavaScript, and is declared directly in the HTML markup. I want to avoind allowing "unsafe-inline" in my CSP, as this allows malicious actors to inject Javascript. Thus, am trying to move all the inline stuff to a specific .js file that I host and which is included in our CSP file. This is working for the most part, but not for the embedded form. Is there anything special I need to bind the function to, so it knows where in the page to render itself? When I call the form.Create() function from my .js file, I get no error, but the form is not rendered (or at least not rendered in the correct location to correspond with its modal).
Any advice / best practices on moving inline-embedded Hubspot forms to an external .js file?
I can confirm that this is currently something we do not directly support. We've seen solutions implemented in the past that temporarily provide this functionality but future updates can cause these features to stop functioning.
And so, we recommend sticking with using the standard embed code rather than a custom method.
Content Security Policy and Embedded Hubspot Forms
SOLVE
For anyone who might stumble upon this later, the HubSpot form code can be moved into a separate .js file. It's not widely documented, but the `target` attribute on this page is how you specify the location you want to render the form
Content Security Policy and Embedded Hubspot Forms
SOLVE
It's been a few years, but if I recall correctly, my company was more comfortable with using `unsafe-inline` for `style-src` as long as I could avoid using it for `script-src`, so that's why I didn't run into the issue that you are
I can confirm that this is currently something we do not directly support. We've seen solutions implemented in the past that temporarily provide this functionality but future updates can cause these features to stop functioning.
And so, we recommend sticking with using the standard embed code rather than a custom method.