Bug: Content Security Policy problems


#1

CSP: Content Security Policy

Problem:

Embedding Javascript tracking on our website is blocked by CSP policies.

Current setup:

Our servers current CSP policy includes https://js.hs-scripts.com and https://js.hs-analytics.net.

Recreate problem:

  • Embed the Javascript on the website, e.g: <script type="text/javascript" id="hs-script-loader" async defer src="https://js.hs-scripts.com/NNNNNNN.js"></script>
  • When loading the webpage, an error is printed in the console: Loading failed for the <script> with source “http://js.hs-analytics.net/analytics/XXXXXXXXXXXXX/NNNNNNN.js”.

Our CSP policy refuses connection to unsafe http sources.

  • When we instead try to directly embed the resource, e.g: <script type="text/javascript" id="hs-script-loader" async defer src="https://js.hs-analytics.net/analytics/XXXXXXXXXXXXX/NNNNNNN.js.js"></script>
  • When loading the webpage, an error is printed in the console: Content Security Policy: The page’s settings blocked the loading of a resource at http://track.hubspot.com/__ptq.gif?abcxyz... (GET-param redacted for privacy reasons)

The connection fails again due to our CSP policy to refuse connection to unsafe http sources.

Suggested solution:

Please make sure to include https-resources, at all times.

Sincerely,
kunambi


#2

We realized that this happened because our staging server didn't run on HTTPS. Running your scripts over HTTPS does not create these problems.

However, I still suggest that you should always load your resources over HTTPS.

Will let this post remain, in case anyone else has the same issue.

Thanks,
kunambi