Configuring a CSP
A Content Security Policy (CSP) is used to restrict the resources a browser is allowed to use. The CSP can also limit the functionality of script and style resources. Adobe Experience Platform Web SDK does not require a CSP, but adding one can reduce the attack surface to prevent against malicious attacks.
The CSP needs to reflect how Platform Web SDK is deployed and configured. The following CSP shows what changes may be necessary for the SDK to function properly. Additional CSP settings will likely be required, depending on your specific environment.
Content security policy example
The following examples show how to configure a CSP.
Allow access to the edge domain
default-src 'self';
connect-src 'self' EDGE-DOMAIN
In the above example, EDGE-DOMAIN
should be replaced with the first-party domain. The first-party domain is configured for the edgeDomain setting. If no first-party domain has been configured, EDGE-DOMAIN
should be replaced with *.adobedc.net
. If visitor migration is turned on using idMigrationEnabled, the connect-src
directive also needs to include *.demdex.net
.
Use NONCE to allow inline script and style elements
Platform Web SDK can modify page content and must be approved to create inline script and style tags. To accomplish this, Adobe recommends using a nonce for the default-src CSP directive. A nonce is a server-generated cryptographically strong random token that is generated once per each unique page view.
default-src 'nonce-SERVER-GENERATED-NONCE'
In addition the CSP nonce needs to be added as an attribute to the Platform Web SDK base code script tag. Platform Web SDK will then use that nonce when adding inline script or style tags to the page:
<script nonce="SERVER-GENERATED-NONCE">
!function(n,o){o.forEach(function(o){n[o]||((n.__alloyNS=n.__alloyNS||
[]).push(o),n[o]=function(){var u=arguments;return new Promise(
function(i,l){n[o].q.push([i,l,u])})},n[o].q=[])})}
(window,["alloy"]);
</script>
If a nonce is not used, the other option is to add unsafe-inline
to the script-src
and style-src
CSP directives:
script-src 'unsafe-inline'
style-src 'unsafe-inline'
unsafe-inline
because it allows for any script to run on the page, which limits the benefits of the CSP.Configure a CSP for In-App Messaging in-app-messaging
When you configure Web In-App Messaging, you must inclde the following directive in your CSP:
default-src blob:;