Cross-Domain Subresource Integrity Exclusion Ingrid Select scripts are excluded from the Cross-Domain Subresource Integrity Check if they cannot have the integrity attribute set. The following patterns are used to determine scripts for exclusion: what is subresource integrity (SRI), allowlist, allow { 'Google Tag Manager': 'www\\.googletagmanager\\.com', 'Facebook Pixel': 'connect\\.facebook\\.net', 'Google Analytics 4': 'googletagmanager\\.com/gtag/js', 'Intercom': 'widget\\.intercom\\.io', 'Hotjar': 'static\\.hotjar\\.com', 'Optimizely': 'cdn\\.optimizely\\.com', 'Stripe.js': 'js\\.stripe\\.com', 'Facebook SDK': 'connect\\.facebook\\.net/.*/sdk\\.js', 'Google Fonts': 'fonts\\.googleapis\\.com', 'VWO': 'dev\\.visualwebsiteoptimizer\\.com', 'Google Optimize': 'googleoptimize\\.com/optimize\\.js', 'Google Ads': 'pagead2\\.googlesyndication\\.com', 'DoubleClick': 'stats\\.g\\.doubleclick\\.net', 'Mixpanel': 'cdn\\.mxpnl\\.com', 'Segment': 'cdn\\.segment\\.com', 'Tawk.to': 'embed\\.tawk\\.to', 'Drift': 'js\\.driftt\\.com', 'Twitter Widget': 'platform\\.twitter\\.com', 'LinkedIn Badge': 'platform\\.linkedin\\.com', 'PayPal': 'www\\.paypal\\.com', 'Square': 'js\\.squareup\\.com/v2/paymentform', 'SystemJS Dynamic Loader': 'unpkg\\.com/systemjs@[\\d.]+/dist/system\\.min\\.js', 'Socket.IO': 'cdn\\.socket\\.io', 'Pusher': 'js\\.pusher\\.com', 'OneTrust': 'cdn\\.cookielaw\\.org', 'TrustArc': 'consent\\.trustarc\\.com', 'TrustArc / TRUSTe': 'consent\\.truste\\.com', 'Cookiebot': 'consent\\.cookiebot\\.com', 'Usercentrics': 'app\\.usercentrics\\.eu', 'Quantcast Choice': 'cmp\\.quantcast\\.com', 'Civic Cookie Control': 'cc\\.cdn\\.civiccomputing\\.com', 'Didomi': 'privacy-center\\.org', 'IAB TCF CMPs': 'cdn\\.consentmanager\\.net', 'Adobe Launch': 'assets\\.adobedtm\\.com', 'Tealium iQ': 'tags\\.tiqcdn\\.com', 'Segment (Analytics.js)': 'cdn\\.segment\\.com', 'Ensighten Manage': 'nexus\\.ensighten\\.com', 'TagCommander': 'cdn\\.tagcommander\\.com/.*/.*\\.js', 'Auth0': 'cdn\\.auth0\\.com', 'Firebase Auth': 'www\\.gstatic\\.com', 'New Relic Browser': 'js-agent\\.newrelic\\.com', 'Datadog RUM': 'www\\.datadoghq-browser-agent\\.com', 'PerimeterX': 'client\\.perimeterx\\.net/.*/main\\.min\\.js', 'LinkedIn Bot Pixel': 'px\\.ads\\.linkedin\\.com', 'Qualtrics': 'siteintercept\\.qualtrics\\.com', 'SurveyMonkey': 'cdn\\.mparticle\\.com', 'WalkMe': 'cdn\\.walkme\\.com', 'Social Intents': 'cdn\\.socialintents\\.com', 'Okta Auth CDN': 'global\\.oktacdn\\.com', 'Wix Static Assets': 'static\\.parastorage\\.com', 'Google Ads (DoubleClick gads)': 'googleads\\.g\\.doubleclick\\.net', 'Google Fonts CSS': 'fonts\\.googleapis\\.com', 'Google Ad Services Partner': 'partner\\.googleadservices\\.com', 'HubSpot UGC Assets': 'cdn2\\.hubspotusercontent40\\.net', 'Invoca Call Tracking': 'solutions\\.invocacdn\\.com', 'YouTube IFrame API': 'www\\.youtube\\.com', 'Adobe Everest JS': 'www\\.everestjs\\.net', 'AppDynamics RUM': 'cdn\\.appdynamics\\.com', 'Sojern Beacon': 'beacon\\.sojern\\.com', 'Bing UET Tag': 'bat\\.bing\\.com', 'OpenAI Chat Widget': 'chat\\.openai\\.com/embed\\.js', 'Langchain.js': 'cdn\\.jsdelivr\\.net/npm/langchain@latest/langchain\\.min\\.js', 'HuggingFace Inference SDK': 'cdn\\.jsdelivr\\.net/npm/@huggingface/inference@latest', 'Botpress Webchat': 'cdn\\.botpress\\.cloud/webchat/.*/inject\\.js', 'Langfuse SDK': 'cdn\\.langfuse\\.com/sdk\\.js', 'PromptLayer SDK': 'unpkg\\.com/@promptlayer/browser', 'Helicone': 'cdn\\.helicone\\.io/script\\.js', 'Google Analytics (legacy)': 'www\\.google-analytics\\.com', 'Google Analytics (SSL)': 'ssl\\.google-analytics\\.com', 'Google AdSense': 'www\\.google\\.com', 'Google reCAPTCHA': 'google\\.com/recaptcha/api\\.js', 'Bluehost Media': 'www\\.bluehost\\.com', 'Outbrain Tracking': 'wave\\.outbrain\\.com', 'Splunk Signalfx': 'cdn\\.signalfx\\.com', 'HubSpot Content': 'hubspotusercontent.*\\.net/hubfs/.*\\.js', 'HubSpot Main JS': 'js\\.hubspot\\.com', 'HubSpot Banner': 'js\\.hs-banner\\.com', 'Microsoft Clarity': 'www\\.clarity\\.ms', 'Toast UI CDN': 'uicdn\\.toast\\.com', 'Okta Static CDN': '.*oktacdn\\.com', 'Medallia Kampyle Widget': 'nebula-cdn\\.kampyle\\.com', 'Consentmanager CMP': 'cdn\\.consentmanager\\.net', 'Sentry Browser SDK (CDN)': 'browser\\.sentry-cdn\\.com', 'HubSpot UGC CDN': 'hubspotusercontent.*\\.net' } Example Scripts See example scripts and test for: Google Analytics Google Tag Manager HubSpot Analytics HubSpot Chat LinkedIn Insight Tag Wistia Zoominfo June 24, 2025: Version 08-JUN-2025. April 30, 2025: Published. Related to web application security Related articles Web Application Security Assessment: Cross-Site Scripting Web Application Security Finding Messages Web Application Security Risk Vector Regional Internet Registries (RIR WHOIS) TLS/SSL Finding Remediation & Remediation Verification Feedback 1 comment Sort by Date Votes Anthony Pinto October 16, 2025 18:24 Could you please list these exclusions in alphabetical order? If I want to see all exclusions for Google, there's 12 entries scattered from the top to the bottom. Can they sorted alphabetically or grouped by vendor. 0 Please sign in to leave a comment.