Select scripts are excluded from the Cross-Domain Subresource Integrity Check if they cannot have the integrity attribute set. The following patterns are used to determine scripts for exclusion:
what is subresource integrity (SRI), allowlist, allow
{
'Google Tag Manager': 'www\\.googletagmanager\\.com',
'Facebook Pixel': 'connect\\.facebook\\.net',
'Google Analytics 4': 'googletagmanager\\.com/gtag/js',
'Intercom': 'widget\\.intercom\\.io',
'Hotjar': 'static\\.hotjar\\.com',
'Optimizely': 'cdn\\.optimizely\\.com',
'Stripe.js': 'js\\.stripe\\.com',
'Facebook SDK': 'connect\\.facebook\\.net/.*/sdk\\.js',
'Google Fonts': 'fonts\\.googleapis\\.com',
'VWO': 'dev\\.visualwebsiteoptimizer\\.com',
'Google Optimize': 'googleoptimize\\.com/optimize\\.js',
'Google Ads': 'pagead2\\.googlesyndication\\.com',
'DoubleClick': 'stats\\.g\\.doubleclick\\.net',
'Mixpanel': 'cdn\\.mxpnl\\.com',
'Segment': 'cdn\\.segment\\.com',
'Tawk.to': 'embed\\.tawk\\.to',
'Drift': 'js\\.driftt\\.com',
'Twitter Widget': 'platform\\.twitter\\.com',
'LinkedIn Badge': 'platform\\.linkedin\\.com',
'PayPal': 'www\\.paypal\\.com',
'Square': 'js\\.squareup\\.com/v2/paymentform',
'SystemJS Dynamic Loader': 'unpkg\\.com/systemjs@[\\d.]+/dist/system\\.min\\.js',
'Socket.IO': 'cdn\\.socket\\.io',
'Pusher': 'js\\.pusher\\.com',
'OneTrust': 'cdn\\.cookielaw\\.org',
'TrustArc': 'consent\\.trustarc\\.com',
'TrustArc / TRUSTe': 'consent\\.truste\\.com',
'Cookiebot': 'consent\\.cookiebot\\.com',
'Usercentrics': 'app\\.usercentrics\\.eu',
'Quantcast Choice': 'cmp\\.quantcast\\.com',
'Civic Cookie Control': 'cc\\.cdn\\.civiccomputing\\.com',
'Didomi': 'privacy-center\\.org',
'IAB TCF CMPs': 'cdn\\.consentmanager\\.net',
'Adobe Launch': 'assets\\.adobedtm\\.com',
'Tealium iQ': 'tags\\.tiqcdn\\.com',
'Segment (Analytics.js)': 'cdn\\.segment\\.com',
'Ensighten Manage': 'nexus\\.ensighten\\.com',
'TagCommander': 'cdn\\.tagcommander\\.com/.*/.*\\.js',
'Auth0': 'cdn\\.auth0\\.com',
'Firebase Auth': 'www\\.gstatic\\.com',
'New Relic Browser': 'js-agent\\.newrelic\\.com',
'Datadog RUM': 'www\\.datadoghq-browser-agent\\.com',
'PerimeterX': 'client\\.perimeterx\\.net/.*/main\\.min\\.js',
'LinkedIn Bot Pixel': 'px\\.ads\\.linkedin\\.com',
'Qualtrics': 'siteintercept\\.qualtrics\\.com',
'SurveyMonkey': 'cdn\\.mparticle\\.com',
'WalkMe': 'cdn\\.walkme\\.com',
'Social Intents': 'cdn\\.socialintents\\.com',
'Okta Auth CDN': 'global\\.oktacdn\\.com',
'Wix Static Assets': 'static\\.parastorage\\.com',
'Google Ads (DoubleClick gads)': 'googleads\\.g\\.doubleclick\\.net',
'Google Fonts CSS': 'fonts\\.googleapis\\.com',
'Google Ad Services Partner': 'partner\\.googleadservices\\.com',
'HubSpot UGC Assets': 'cdn2\\.hubspotusercontent40\\.net',
'Invoca Call Tracking': 'solutions\\.invocacdn\\.com',
'YouTube IFrame API': 'www\\.youtube\\.com',
'Adobe Everest JS': 'www\\.everestjs\\.net',
'AppDynamics RUM': 'cdn\\.appdynamics\\.com',
'Sojern Beacon': 'beacon\\.sojern\\.com',
'Bing UET Tag': 'bat\\.bing\\.com',
'OpenAI Chat Widget': 'chat\\.openai\\.com/embed\\.js',
'Langchain.js': 'cdn\\.jsdelivr\\.net/npm/langchain@latest/langchain\\.min\\.js',
'HuggingFace Inference SDK': 'cdn\\.jsdelivr\\.net/npm/@huggingface/inference@latest',
'Botpress Webchat': 'cdn\\.botpress\\.cloud/webchat/.*/inject\\.js',
'Langfuse SDK': 'cdn\\.langfuse\\.com/sdk\\.js',
'PromptLayer SDK': 'unpkg\\.com/@promptlayer/browser',
'Helicone': 'cdn\\.helicone\\.io/script\\.js',
'Google Analytics (legacy)': 'www\\.google-analytics\\.com',
'Google Analytics (SSL)': 'ssl\\.google-analytics\\.com',
'Google AdSense': 'www\\.google\\.com',
'Google reCAPTCHA': 'google\\.com/recaptcha/api\\.js',
'Bluehost Media': 'www\\.bluehost\\.com',
'Outbrain Tracking': 'wave\\.outbrain\\.com',
'Splunk Signalfx': 'cdn\\.signalfx\\.com',
'HubSpot Content': 'hubspotusercontent.*\\.net/hubfs/.*\\.js',
'HubSpot Main JS': 'js\\.hubspot\\.com',
'HubSpot Banner': 'js\\.hs-banner\\.com',
'Microsoft Clarity': 'www\\.clarity\\.ms',
'Toast UI CDN': 'uicdn\\.toast\\.com',
'Okta Static CDN': '.*oktacdn\\.com',
'Medallia Kampyle Widget': 'nebula-cdn\\.kampyle\\.com',
'Consentmanager CMP': 'cdn\\.consentmanager\\.net',
'Sentry Browser SDK (CDN)': 'browser\\.sentry-cdn\\.com',
'HubSpot UGC CDN': 'hubspotusercontent.*\\.net'
}
Example Scripts
See example scripts and test for:
- Google Analytics
- Google Tag Manager
- HubSpot Analytics
- HubSpot Chat
- LinkedIn Insight Tag
- Wistia
- Zoominfo
- June 24, 2025: Version 08-JUN-2025.
- April 30, 2025: Published.
Feedback
1 comment
Could you please list these exclusions in alphabetical order? If I want to see all exclusions for Google, there's 12 entries scattered from the top to the bottom. Can they sorted alphabetically or grouped by vendor.
Please sign in to leave a comment.