A guide to Content Security Policy (CSP) settings

alfiedawes

One of the problems we've faced when adding HubSpot scripts and functionality to our website, is that they are loaded from various domains and sub-domains. We have a CSP in place for security reasons, so all script, iframe, form, image sources, etc. need to be put on the whitelist before they're loaded.

 

I'm sure there's a good reason why the scripts come from so many different domains, but perhaps a good solution would be to put a page in the knowledge base, with a table that details what you'll need to add to your CSP for all the different functionalities of HubSpot (tracking, forms etc.), which we can then copy.

 

Apologies if this already exists - I can't find it.

 

Link to CSP documentation

HubSpot updates
6 Replies
eterobby
Participant

One problematic CSP issue I've encountered is that the HubSpot Forms use inline "style" attributes for simple things like display:none and display:block that could easily be mutated by JavaScript.  While it is possible to allowlist such values using hashes, that only works in Chrome with "unsafe-hashes", which part of CSP 3.  In other browsers that only support CSP 2 (the current standard), there's no available way to allowlist known inline styles, so you have to add 'unsafe-inline' to your style-src directive.

TDerenthal
Member

Instead of a link to the Mozilla docs for CSP, why not a link to the actual domains/FQDNs that we need to put in our CSP. Better yet, and forgive me the extreme snark (I'm an old guy) maybe you could make it even harder to find answers. Giving up on HubSpot in 4...3...2...1

eterobby
Participant

Here is the CSP that I'm using on a page where I've integrated a single HubSpot form (using https://js.hsforms.net/forms/shell.js) :

default-src https://*.hsforms.net https://*.hsforms.com https://cdnjs.cloudflare.com; style-src 'unsafe-inline'

Now, this is NOT:

  • Guaranteed to work indefinitely,
  • Likely to support other use cases or integrations
  • As secure as desired because it is necessary to allow all JavaScript for CloudFlare
  • Protected against XSS that leverages inline styles

At least it provides a measure of protection against XSS from other JavaScript sources.

martynjames
Member

I have built the narrowest CSP that I can that also allows for Hubspot to work. The ones that conern me the most are the need to add `'unsafe-inline'` for `style-src` and `script-src`. It would be better to have those scriptlets come from one of the (already long) list of servers that I have to add already.

LErni
Member
a starter... pleas add yours in a comment ‌‌😀‌‌

SCRIPT
'track.hubspot.com',
'forms.hubspot.com',
'*.hubspotusercontent20.net',
'js.hscollectedforms.net',
'js.hsleadflows.net',
'js.hs-scripts.com',
'js.hsadspixel.net',
'js.hs-analytics.net',
'js.hs-banner.com',
'js.hs-banner.net',
'*.hsforms.net',
'*.hsforms.com'

IMG
'cdn2.hubspot.net',
'f.hubspotusercontent00.net'

edit: Haven't seen comments at first glance... would like to have a universal CSP for HS but with this many domains, it kinda defeats the purpose of it. But let's collect to get an overview

 

edit2: Scripts coming from all over the place - doubt a one-size-fits-all CSP for HS makes sense - or even CSP & HS at all ;(

RFlynn
Member

@LErni here is my list - I haven't seen any additional errors but I don't have all the ones you have. Sure would be nice to have a published list from HubSpot:

 

script-src
https://*.hubspot.com
https://js.hscollectedforms.net
https://js.hsadspixel.net
https://*.hs-scripts.com
https://js.hs-banner.com
https://js.hs-analytics.net
https://forms.hsforms.com
https://*.usemessages.com


img-src
https://*.hsforms.com
https://*.hubspot.com

connect-src
https://*.hubspot.com
https://*.hubapi.com


frame-src
https://*.hubspot.com