My global client has a set of sites in HubSpot (Enterprise), using old templates with a lot of inline script and a lot of old, third-party integrations for interactive elements. (Let's say, for example, a carousel.)
Now, we're tasked with bringing all of these sites up to modern XSS/CSP/etc security standards. No small feat, when each of the sites has multiple locales, all maintained by different agencies in one portal and based on similar, but not exactly same, code.
I know I'll have to deal with the inline script by moving it out into separate files. But how would I generate a nonce in HubSpot themes/templates for these third-party inclusions? If I enable the HS-generated nonce, is it stored in a variable somewhere that I could access it with HubL and insert its dynamic value into script calls?
@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.
Gah thanks, Outlook...... trying this NOT from email this time.
Honestly, I think both, unless I’m reading the documentation wrong.
What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:
I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?
And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?
@melindagreen - I'm hoping that myself or someone else in teh communit y can help you in your project. But can you plase clarify the question? Is it related to generation of a nonce or how to pass such a value around in a module between HubL, CSS, JS perhaps?
Honestly, I think both, unless I’m reading the documentation wrong.
What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:
[cid:image002.png@01DAE1BC.B753E1C0]
I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?
And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?
@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.