We are using strong content security policy on our website which requires all inline scripts to be "approved" in the response headers that are given to the browser when a web page loads. Approval can be provide via a "hash" or a "nonce". Nonces are more robust than hashes because hashes will change if the script changes in any way. Nonces, however, need to be added as an attribute to the script tag when they are generated and they have to change on every request. When we add the hubspot chat to our web page, it is done with a pixel. I've tried to attach it here but it seems this forum won't let me upload html as part of this post. js.hs-scripts.com then runs and generates an inline script which it inserts into our web page. Unfortunately, it does not read the nonce from this tag and then add that nonce to the script tag that it generates. As a result, we have to add a hash to the content security policy in our response headers but this is fragile because it won't work if the hubspot inline script ever changes. The current situation leaves a pretty big security hole in websites that use the hubspot chat. It would be great if the hubspot script loader could be updated to read the nonce from this pixel and then add it to the script tag of any generated inline scripts. Alternatively, hubspot could avoid injecting inline scripts. Not sure if that is possible.
...その他を表示