~things that matter~

Category: Adobe Target

Protected: Target On Top

This content is password protected. To view it please enter your password below:

CSP for Adobe Experience Cloud

There have been quite a few questions from across our Experience Cloud customers on handling CSP for the products, mainly Adobe Analytics and Adobe Target.

If CSP is something you are hearing for the first time, let me simplify: There are some Adobe domain names you should add to a Content Security Policy (CSP) on your website if you use these solutions and have tight security policies.

Allowing these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.

Our documentation covers CSP recommendations for the various solutions separately. Feel free to review them here and here.

These documents tell you the domains that need to be whitelisted for your website to communicate from a browser. Few things you need to keep in mind:

  • unsafe-inline” can help fix the CSP errors. However, that is UNSAFE 🙂
  • A nonce-based solution would be required for Adobe Launch.
  • Launch must load asynchronously for the recommended approach to work. Technically, if you feel adventurous, you may be able to make a synchronous deployment work equally well. Again, neither a recommendation from Adobe nor would I be responsible should anything break.
  • While Launch would work with the nonce-based solution, you must take care of Adobe Target pre-hiding and flicker control code (outside of Adobe Launch) separately (i.e. allow them somehow).

I feel that is enough instruction for someone who knows what CSP is. You can see some (not-so-elegant) csp demo pages here.
Do look at the CSP HEADERS and/or META Tags, and the custom message I am printing in the developer console, e.g.:

Deepak Ranjan Kar