HubSpot Ideas

alfiedawes

A guide to Content Security Policy (CSP) settings

One of the problems we've faced when adding HubSpot scripts and functionality to our website, is that they are loaded from various domains and sub-domains. We have a CSP in place for security reasons, so all script, iframe, form, image sources, etc. need to be put on the whitelist before they're loaded.

 

I'm sure there's a good reason why the scripts come from so many different domains, but perhaps a good solution would be to put a page in the knowledge base, with a table that details what you'll need to add to your CSP for all the different functionalities of HubSpot (tracking, forms etc.), which we can then copy.

 

Apologies if this already exists - I can't find it.

 

Link to CSP documentation

Mises à jour HubSpot
April 27, 2023 08:49 AM

Thanks, @JHampton6. The table's updated with those now.

April 26, 2023 12:33 PM

Hey everyone!

 

We have officially documented a comprehensive CSP that you can use to ensure HubSpot's tools load on your sites: https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy

Each domain pattern is listed with the necessary directives and the HubSpot tool that requires that domain.

14 Commentaires
eterobby
Participant

One problematic CSP issue I've encountered is that the HubSpot Forms use inline "style" attributes for simple things like display:none and display:block that could easily be mutated by JavaScript.  While it is possible to allowlist such values using hashes, that only works in Chrome with "unsafe-hashes", which part of CSP 3.  In other browsers that only support CSP 2 (the current standard), there's no available way to allowlist known inline styles, so you have to add 'unsafe-inline' to your style-src directive.

TDerenthal
Membre

Instead of a link to the Mozilla docs for CSP, why not a link to the actual domains/FQDNs that we need to put in our CSP. Better yet, and forgive me the extreme snark (I'm an old guy) maybe you could make it even harder to find answers. Giving up on HubSpot in 4...3...2...1

eterobby
Participant

Here is the CSP that I'm using on a page where I've integrated a single HubSpot form (using https://js.hsforms.net/forms/shell.js) :

default-src https://*.hsforms.net https://*.hsforms.com https://cdnjs.cloudflare.com; style-src 'unsafe-inline'

Now, this is NOT:

  • Guaranteed to work indefinitely,
  • Likely to support other use cases or integrations
  • As secure as desired because it is necessary to allow all JavaScript for CloudFlare
  • Protected against XSS that leverages inline styles

At least it provides a measure of protection against XSS from other JavaScript sources.

martynjames
Membre

I have built the narrowest CSP that I can that also allows for Hubspot to work. The ones that conern me the most are the need to add `'unsafe-inline'` for `style-src` and `script-src`. It would be better to have those scriptlets come from one of the (already long) list of servers that I have to add already.

LErni
Membre
a starter... pleas add yours in a comment ‌‌😀‌‌

SCRIPT
'track.hubspot.com',
'forms.hubspot.com',
'*.hubspotusercontent20.net',
'js.hscollectedforms.net',
'js.hsleadflows.net',
'js.hs-scripts.com',
'js.hsadspixel.net',
'js.hs-analytics.net',
'js.hs-banner.com',
'js.hs-banner.net',
'*.hsforms.net',
'*.hsforms.com'

IMG
'cdn2.hubspot.net',
'f.hubspotusercontent00.net'

edit: Haven't seen comments at first glance... would like to have a universal CSP for HS but with this many domains, it kinda defeats the purpose of it. But let's collect to get an overview

 

edit2: Scripts coming from all over the place - doubt a one-size-fits-all CSP for HS makes sense - or even CSP & HS at all ;(

RFlynn
Membre

@LErni here is my list - I haven't seen any additional errors but I don't have all the ones you have. Sure would be nice to have a published list from HubSpot:

 

script-src
https://*.hubspot.com
https://js.hscollectedforms.net
https://js.hsadspixel.net
https://*.hs-scripts.com
https://js.hs-banner.com
https://js.hs-analytics.net
https://forms.hsforms.com
https://*.usemessages.com


img-src
https://*.hsforms.com
https://*.hubspot.com

connect-src
https://*.hubspot.com
https://*.hubapi.com


frame-src
https://*.hubspot.com

JvanderHoeven
Membre

Hey HubSpot

 

Get your act straight, and give us a complete up-to-date CSP listing preferably from one domain. like facebook does it.

 

This is ridiculous!

 

BillyBunter
Contributeur

High hopes expecting HubSpot to get their act straight. There is clearly a lack of technical competence. I'm a paid user for over two years and an issue I had from the beginning hasn't been addressed yet - the automatic creation of contacts and companies from emails coming into your inbox. We end up paying for extra contacts because all spam emails end up creating one. This is probably why they don't fix it, either.

 

This particular issue - CSP - is another one that shows technical incompetence. Who needs a zillion domains to do this stuff - no other CRM company follows this model. We're going to have to bite the migration bullet soon and move out of HubSpot.

felipelube
Membre

This is biting me. This seems to be related to a "Multi-region" change HS is doing (https://product.hubspot.com/blog/developing-an-eu-data-center).

 

Currently, I've seen domains like https://js.hs-scripts.com be redirected to https://js-eu1.hs-scripts.com

 

Can someone at least list those suffixes? We need to comply with strict CSP rules here, I'm avoiding adding a wildcard whenever possible.

RFlynn
Membre

I agree with @felipelube - please make a page of all the scripts for CSP. We are stumbling around in the dark making sure we capture all the instances of these scripts used world wide.

JAmbron
Membre

I'm currently migrating to Hubspot from Pardot and getting Hubspot integrated into our WordPress website has been a nightmare. There are so many different domains we need to unblock from our CSP. Really, Hubspot? Pardot is outclassing you?

No other CRM company follows this model. I'm seriously questioning this migration to your CRM.

cwilliford
Équipe de développement de HubSpot

Hey everyone!

 

We have officially documented a comprehensive CSP that you can use to ensure HubSpot's tools load on your sites: https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-p...

Each domain pattern is listed with the necessary directives and the HubSpot tool that requires that domain.

JHampton6
Membre

@cwilliford it looks like that support documentation is still missing some CSP policies for connect-src. These include:

 

*.hsforms.com
*.hs-banner.com
*.hscollectedforms.net

 

 

There also appears to be a typo in this line:

JHampton6_0-1682544936699.png

I believe it should be *.hubspot.com instead of *hubspot.com as currently noted.

 

cwilliford
Équipe de développement de HubSpot

Thanks, @JHampton6. The table's updated with those now.