APIs & Integrations

melindagreen
Contributeur | Partenaire solutions Platinum
Contributeur | Partenaire solutions Platinum

Nonce integration beyond HS and GTM

Résolue

My global client has a set of sites in HubSpot (Enterprise), using old templates with a lot of inline script and a lot of old, third-party integrations for interactive elements. (Let's say, for example, a carousel.) 

 

Now, we're tasked with bringing all of these sites up to modern XSS/CSP/etc security standards. No small feat, when each of the sites has multiple locales, all maintained by different agencies in one portal and based on similar, but not exactly same, code.

 

I know I'll have to deal with the inline script by moving it out into separate files. But how would I generate a nonce in HubSpot themes/templates for these third-party inclusions? If I enable the HS-generated nonce, is it stored in a variable somewhere that I could access it with HubL and insert its dynamic value into script calls?

 

 

0 Votes
1 Solution acceptée
SteveHTM
Solution
Guide | Partenaire solutions
Guide | Partenaire solutions

Nonce integration beyond HS and GTM

Résolue

@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.

I see some references to use of GTM as a workaround - for example in https://community.hubspot.com/t5/APIs-Integrations/Nonce-propagation-for-hubspot-chat-scripts/m-p/43... which may offer a route forward. Otherwise an upvote on the idea community is all I may be able to offer.

 

Good luck!

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature

Voir la solution dans l'envoi d'origine

0 Votes
6 Réponses
melindagreen
Contributeur | Partenaire solutions Platinum
Contributeur | Partenaire solutions Platinum

Nonce integration beyond HS and GTM

Résolue

Gah thanks, Outlook...... trying this NOT from email this time.

Honestly, I think both, unless I’m reading the documentation wrong.

What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:

screenshot_1_ref_external.png


I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?

And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?

screenshot_2_hubspot_infobox.png

0 Votes
SteveHTM
Guide | Partenaire solutions
Guide | Partenaire solutions

Nonce integration beyond HS and GTM

Résolue

@melindagreen - I'm hoping that myself or someone else in teh communit y can help you in your project. But can you plase clarify the question? Is it related to generation of a nonce or how to pass such a value around in a module between HubL, CSS, JS perhaps?

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 Votes
melindagreen
Contributeur | Partenaire solutions Platinum
Contributeur | Partenaire solutions Platinum

Nonce integration beyond HS and GTM

Résolue
Honestly, I think both, unless I’m reading the documentation wrong.

What I’m looking for is how to reference a nonce on external scripts – here’s an example from content-security-policy dot com:

[cid:image002.png@01DAE1BC.B753E1C0]

I’ve read the documentation on Security Settings and know how to set up a basic CSP. But in the screenshot below, the yellow box seems to be saying a randomly-generated value (nonce) is only put on scripts from HubSpot and scripts hosted on HubSpot. Am I missing something, or is that box referring to something other than the nonce?

And if the latter is the case, will checking the box for nonce work automatically for the example in the screenshot above, or do I need to reference some secret nonce value in my code?

[cid:image001.png@01DAE1BB.F1A3F8C0]
0 Votes
SteveHTM
Guide | Partenaire solutions
Guide | Partenaire solutions

Nonce integration beyond HS and GTM

Résolue

FYI - The example images are not coming through here

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 Votes
melindagreen
Contributeur | Partenaire solutions Platinum
Contributeur | Partenaire solutions Platinum

Nonce integration beyond HS and GTM

Résolue

Steve, I reposted as a separate comment above and reattached images. Thanks.

0 Votes
SteveHTM
Solution
Guide | Partenaire solutions
Guide | Partenaire solutions

Nonce integration beyond HS and GTM

Résolue

@melindagreen - I have to declare that the technical issues here are beyond my expertise. I reviewed the related documents and other related posts on nonce use. which make it seem like a lot of thise functionality is locked up internally in HubSpot.

I see some references to use of GTM as a workaround - for example in https://community.hubspot.com/t5/APIs-Integrations/Nonce-propagation-for-hubspot-chat-scripts/m-p/43... which may offer a route forward. Otherwise an upvote on the idea community is all I may be able to offer.

 

Good luck!

 

Steve

Steve Christian

HTM Solutions

https://info.htmsolutions.biz/meetings/stevec2

mobilePhone
+1 6195183009
emailAddress
stevec@htmsolutions.biz
website
www.htmsolutions.biz
address
San Diego, CA
Create Your Own Free Signature
0 Votes