Adobe Analytics Scripts Blocked by CSP – Need Guidance | Community
Skip to main content
D
Di_Sai
June 5, 2025
Solved

Adobe Analytics Scripts Blocked by CSP – Need Guidance

  • June 5, 2025
  • 4 replies
  • 1268 views

Hi Team,

We’re currently implementing a strict Content Security Policy (CSP) in our web application, and we’ve encountered an issue where Adobe Analytics scripts are being blocked unless we add 'unsafe-eval' to the script-src directive.

However, our security guidelines specifically aim to avoid 'unsafe-eval', so this is not a viable option for us.

at.js 2.11.6

    Best answer by Vinay_Chauhan

    You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

    Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

    Let me know if it helps.

    4 replies

    Vinay_Chauhan
    Community Advisor
    Vinay_ChauhanCommunity AdvisorAccepted solution
    Community Advisor
    June 5, 2025

    You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

    Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

    Let me know if it helps.

      Elanchezhiyan_E
      Elanchezhiyan_E
      Level 2
      June 6, 2025

      Hi @di_sai,

      Based on the screenshot you provided, it seems you have implemented the Nonce along with the Content Security Policy headers. So you need to update the adobe launch embed code with nonce value, and pass the nonce value to data layer. This is necessary because the Nonce value needs to be added to the Core extension, allowing all the custom code to be applied with server generated Nonce.

      Here is what you need to do,

      1. Create a data element to capture the nonce value from the data layer
      2. Add this data element to the Core extension as outlined below,
      3. Update the Core extension, and publish the changes into production.

      Next include the Tracking server and the adobe data collection URL's in the relevant CSP headers, (script-src, connect-src, and img-src). Once this is completed, the Adobe scripts would function as expected and eliminating the need for 'unsafe-eval'.

      I hope this resolves your issue.
      Let me know if you need any further assistance..!

      D
      Di_SaiAuthor
      June 9, 2025

      Seems to be not working with the above approach, please let me know if anything is missed

      window.dataLayer = window.dataLayer || [];
      window.dataLayer.push({
      nonce: '<%= nonceValue %>' // Replace dynamically with your framework/server logic
      });

      Elanchezhiyan_E
      Elanchezhiyan_E
      Level 2
      June 12, 2025

      You are using the Google's data Layer Approach.

      Ensure that you add the Nonce value to the Adobe Launch Code by including an additional attribute, such as 'nonce', also need to add one more attribute called data-nonce (any custom name of your choice) as shown below,

      <script id='nonce' nonce='<%server generated number%>' data-nonce='<%server generated number%>' async....>

      The reason adding data-nonce is that the nonce attribute cannot be directly retrieved, as Google blocks it by default.

      I have implemented the same for Launch and GTM also.

      try this approach and create a data element as follows,

      then refer the data element to the Core extension.

       

      I hope this will work.

      Good Luck..!

       

        Sukrity_Wadhwa
        Community Manager
        Sukrity_WadhwaCommunity Manager
        Community Manager
        June 25, 2025

        Hi @di_sai,

        Were you able to resolve this query with the help of the provided solutions, or do you still need further assistance? Please let us know. If any of the answers were helpful in moving you closer to a resolution, even partially, we encourage you to mark the one that helped the most as the 'Correct Reply.'

        Thank you!

        Sukrity Wadhwa
          A
          AkshaySh20
          October 7, 2025

          Hi,

          Can you please tell me what steps you followed to fix this issue? As we are using the latest async embed code from Adobe Launch but still it conflicts with CSP. 

          Thanks!

          Terms & ConditionsAccessibility statement

          Loading footer...