APIs & Integrations

melindagreen
投稿者 | Platinum Partner
投稿者 | Platinum Partner

Nonce integration beyond HS and GTM

解決

My global client has a set of sites in HubSpot (Enterprise), using old templates with a lot of inline script and a lot of old, third-party integrations for interactive elements. (Let's say, for example, a carousel.) 

 

Now, we're tasked with bringing all of these sites up to modern XSS/CSP/etc security standards. No small feat, when each of the sites has multiple locales, all maintained by different agencies in one portal and based on similar, but not exactly same, code.

 

I know I'll have to deal with the inline script by moving it out into separate files. But how would I generate a nonce in HubSpot themes/templates for these third-party inclusions? If I enable the HS-generated nonce, is it stored in a variable somewhere that I could access it with HubL and insert its dynamic value into script calls?

 

 

0 いいね!
1件の承認済みベストアンサー
SteveHTM
解決策
ガイド役 | Solutions Partner
ガイド役 | Solutions Partner

Nonce integration beyond HS and GTM

解決

@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.

I see some references to use of GTM as a workaround - for example in https://community.hubspot.com/t5/APIs-Integrations/Nonce-propagation-for-hubspot-chat-scripts/m-p/43... which may offer a route forward. Otherwise an upvote on the idea community is all I may be able to offer.

 

Good luck!

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature

元の投稿で解決策を見る

0 いいね!
6件の返信
melindagreen
投稿者 | Platinum Partner
投稿者 | Platinum Partner

Nonce integration beyond HS and GTM

解決

Gah thanks, Outlook...... trying this NOT from email this time.

Honestly, I think both, unless I’m reading the documentation wrong.

What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:

screenshot_1_ref_external.png


I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?

And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?

screenshot_2_hubspot_infobox.png

0 いいね!
SteveHTM
ガイド役 | Solutions Partner
ガイド役 | Solutions Partner

Nonce integration beyond HS and GTM

解決

@melindagreen - I'm hoping that myself or someone else in teh communit y can help you in your project. But can you plase clarify the question? Is it related to generation of a nonce or how to pass such a value around in a module between HubL, CSS, JS perhaps?

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 いいね!
melindagreen
投稿者 | Platinum Partner
投稿者 | Platinum Partner

Nonce integration beyond HS and GTM

解決
Honestly, I think both, unless I’m reading the documentation wrong.

What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:

[cid:image002.png@01DAE1BC.B753E1C0]

I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?

And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?

[cid:image001.png@01DAE1BB.F1A3F8C0]
0 いいね!
SteveHTM
ガイド役 | Solutions Partner
ガイド役 | Solutions Partner

Nonce integration beyond HS and GTM

解決

FYI - The example images are not coming through here

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 いいね!
melindagreen
投稿者 | Platinum Partner
投稿者 | Platinum Partner

Nonce integration beyond HS and GTM

解決

Steve, I reposted as a separate comment above and reattached images. Thanks.

0 いいね!
SteveHTM
解決策
ガイド役 | Solutions Partner
ガイド役 | Solutions Partner

Nonce integration beyond HS and GTM

解決

@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.

I see some references to use of GTM as a workaround - for example in https://community.hubspot.com/t5/APIs-Integrations/Nonce-propagation-for-hubspot-chat-scripts/m-p/43... which may offer a route forward. Otherwise an upvote on the idea community is all I may be able to offer.

 

Good luck!

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 いいね!