Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards
SOLVED

Adobe Analytics Scripts Blocked by CSP – Need Guidance

Avatar

Level 1

Hi Team,

We’re currently implementing a strict Content Security Policy (CSP) in our web application, and we’ve encountered an issue where Adobe Analytics scripts are being blocked unless we add 'unsafe-eval' to the script-src directive.

However, our security guidelines specifically aim to avoid 'unsafe-eval', so this is not a viable option for us.

at.js 2.11.6

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

Let me know if it helps.

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

Let me know if it helps.

Avatar

Level 2

Hi @Di_Sai,

Based on the screenshot you provided, it seems you have implemented the Nonce along with the Content Security Policy headers. So you need to update the adobe launch embed code with nonce value, and pass the nonce value to data layer. This is necessary because the Nonce value needs to be added to the Core extension, allowing all the custom code to be applied with server generated Nonce.

Here is what you need to do,

  1. Create a data element to capture the nonce value from the data layer
  2. Add this data element to the Core extension as outlined below,
  3. Update the Core extension, and publish the changes into production.

Elanchezhiyan_E_0-1749207909863.png

Next include the Tracking server and the adobe data collection URL's in the relevant CSP headers, (script-src, connect-src, and img-src). Once this is completed, the Adobe scripts would function as expected and eliminating the need for 'unsafe-eval'.

I hope this resolves your issue.
Let me know if you need any further assistance..!

Avatar

Level 1

Seems to be not working with the above approach, please let me know if anything is missed

window.dataLayer = window.dataLayer || [];
window.dataLayer.push({
nonce: '<%= nonceValue %>' // Replace dynamically with your framework/server logic
});

Avatar

Level 2

You are using the Google's data Layer Approach.

Ensure that you add the Nonce value to the Adobe Launch Code by including an additional attribute, such as 'nonce', also need to add one more attribute called data-nonce (any custom name of your choice) as shown below,

<script id='nonce' nonce='<%server generated number%>' data-nonce='<%server generated number%>' async....>

The reason adding data-nonce is that the nonce attribute cannot be directly retrieved, as Google blocks it by default.

I have implemented the same for Launch and GTM also.

try this approach and create a data element as follows,

Elanchezhiyan_E_0-1749730283969.png

then refer the data element to the Core extension.

 

I hope this will work.

Good Luck..!

 

Avatar

Administrator

Hi @Di_Sai,

Were you able to resolve this query with the help of the provided solutions, or do you still need further assistance? Please let us know. If any of the answers were helpful in moving you closer to a resolution, even partially, we encourage you to mark the one that helped the most as the 'Correct Reply.'

Thank you!



Sukrity Wadhwa