~things that matter~

CSP for Adobe Experience Cloud

There have been quite a few questions from across our Experience Cloud customers on handling CSP for the products, mainly Adobe Analytics and Adobe Target.

If CSP is something you are hearing for the first time, let me simplify: There are some Adobe domain names you should add to a Content Security Policy (CSP) on your website if you use these solutions and have tight security policies.

Allowing these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.

Our documentation covers CSP recommendations for the various solutions separately. Feel free to review them here and here.

These documents tell you the domains that need to be whitelisted for your website to communicate from a browser. Few things you need to keep in mind:

  • unsafe-inline” can help fix the CSP errors. However, that is UNSAFE 🙂
  • A nonce-based solution would be required for Adobe Launch.
  • Launch must load asynchronously for the recommended approach to work. Technically, if you feel adventurous, you may be able to make a synchronous deployment work equally well. Again, neither a recommendation from Adobe nor would I be responsible should anything break.
  • While Launch would work with the nonce-based solution, you must take care of Adobe Target pre-hiding and flicker control code (outside of Adobe Launch) separately (i.e. allow them somehow).

I feel that is enough instruction for someone who knows what CSP is. You can see some (not-so-elegant) csp demo pages here.
Do look at the CSP HEADERS and/or META Tags, and the custom message I am printing in the developer console, e.g.:


Where Went the Old Blog


Protected: Target On Top


  1. Dheeraj

    For the new web sdk, can you confirm we do not need csp configurations for Analytics, Target tracking server etc.?

    • DRK

      You’re right. CSP becomes much simpler when you use Adobe’s WebSDK instead of individual libraries. The online help document does have the right domains for you to allowlist. That, however, doesn’t mean that you do not need to think about CSP from each product perspective. Do follow each product’s CSP instructions (minus the other domains listed in there).

  2. Ravi Kumar

    Hi Deepak, is there a sample showing the exact configuration for all products together? i.e. we are using Analytics, Adobe Target, and AAM. The documentation does not give clear examples.
    Your sample pages throw 404 errors. Please share some combined examples, if you can. Thanks in advance! Ravi

    • DRK

      Hi Ravi,
      My samples were not necessarily 100% accurate nor optimized. I had added slightly more permissions than strictly required.
      Probably the directory went missing when I moved the files to a new location. I have corrected that now. Let me know if that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

Deepak Ranjan Kar