/
HubSpot.xml
157 lines (110 loc) · 3.58 KB
/
HubSpot.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
<!--
Other HubSpot rulesets:
- HS-analytics.net.xml
- HSappstatic.net.xml
- HSstatic.net.xml
- HubSpot.net.xml
- HubSpot_QA.com.xml
- leadin.com.xml
s3.amazonaws.com/css.blog.hubspot.com/
- s3.amazonaws.com/cdn1.hubspot.com/
hubspot-marketplace.s3.amazonaws.com
- hubspot.force.com
- help.hubspot.com
- a.performable.com
- go.hubspot.com
ideas.hubspot.com is handled in Uservoice-clients.xml.
Nonfunctional domains:
- hubspot.com subdomains:
- cta-redirect ²
- go *
- help (cert: slotmatching8.salesforce.com; redirects to http)
- hugs (504, akamai; redirects to www.inboundconference.com over http)
- learning *
- university.web11 (times out)
- (www.)inboundconference.com (times out)
² Refused
* 503, akamai
Problematic domains:
- hubspot.com subdomains:
- br ²
- cdn1 (akamai 503, valid cert)
- dev (works, akamai)
- forums ²
- ideas ¹
- www.inbound.com (works, akamai)
² Mismatched
¹ Dropped, preemptable redirect
Insecure cookies are set for these hosts: ᶜ
- designers.hubspot.com
- offers.hubspot.com
ᶜ See https://owasp.org/index.php/SecureFlag
track sets "hsfirstvisit" and "hubspotutk" wildcard
cookies on domains from which it is loaded.
js.hubspot.com sets the following wildcard cookies
on whichever domains it is loaded from:
- hsfirstvisit
- __hssc
- __hssrc
- __hstc
- hubspotutk
Mixed content:
- Images, on:
- academy, designers, developers from cdn[12].hubspot.com
- br, offers from cdn2.hubspot.net ˢ
ˢ Secured by us, see https://www.paulirish.com/2010/the-protocol-relative-url/
-->
<ruleset name="HubSpot.com">
<!-- Direct rewrites:
-->
<target host="hubspot.com" />
<target host="academy.hubspot.com" />
<target host="app.hubspot.com" />
<target host="blog.hubspot.com" />
<target host="designers.hubspot.com" />
<target host="developers.hubspot.com" />
<target host="forms.hubspot.com" />
<target host="forums.hubspot.com" />
<target host="info.hubspot.com" />
<target host="js.hubspot.com" />
<target host="knowledge.hubspot.com" />
<target host="leadin.hubspot.com" />
<target host="legal.hubspot.com" />
<target host="library.hubspot.com" />
<target host="login.hubspot.com" />
<target host="marketplace.hubspot.com" />
<target host="no-cache.hubspot.com" />
<target host="offers.hubspot.com" />
<target host="sites-auth.hubspot.com" />
<target host="static.hubspot.com" />
<target host="static2cdn.hubspot.com" />
<target host="track.hubspot.com" />
<target host="tracking.hubspot.com" />
<target host="www.hubspot.com" />
<!-- Mixed images, sets cookies without Secure:
-->
<!--test url="http://offers.hubspot.com/contact-sales" /-->
<!-- Complications:
-->
<target host="cdn.blog.hubspot.com" />
<target host="cdn1.hubspot.com" />
<target host="jobs.hubspot.com" />
<!-- Not secured by server:
-->
<!--securecookie host="^designers\.hubspot\.com$" name="^PagesViewedThisSession$" /-->
<!--securecookie host="^offers\.hubspot\.com$" name="^(?:hs_ab_test_\d+|hsPagesViewedThisSession)$" /-->
<securecookie host=".+" name=".+" />
<rule from="^http://cdn\.blog\.hubspot\.com/"
to="https://s3.amazonaws.com/cdn.hubspot.com/" />
<rule from="^http://cdn1\.hubspot\.com/"
to="https://s3.amazonaws.com/cdn1.hubspot.com/" />
<rule from="^http://forums\.hubspot\.com/"
to="https://community.hubspot.com/" />
<!-- - Doesn't work over https
- Redirects like so over http
-->
<rule from="^http://jobs\.hubspot\.com/"
to="https://www.hubspot.com/jobs/" />
<rule from="^http:"
to="https:" />
</ruleset>