To be as secure as possible, I have crafted the least-permissible Content-Security-Policy (CSP) to work with our website. Of course to run HubSpot integration there are some servers to include from whence hubspot draws it's script and style content - all well and good.
However, this whole process uses _inline_ scripts and styles which our CSP now needs to allow; and it would be more secure to not allow inline scripts and styles.
Ideally, Hubspot would simply deliver this content as small resources (js or css files) instead of writing the content inline, then I'd not have to add it. For more info about why I'd rather not have it see here - https://content-security-policy.com/unsafe-inline/
For right now, I will probably add hashes for the inline content, but I'll need to experiment because it's possible that the content changes - perhaps even likely given that it has been chosen to not deliver it as a resource.