Adobe Analytics

Di_Sai · 6/5/25

Hi Team,

We’re currently implementing a strict Content Security Policy (CSP) in our web application, and we’ve encountered an issue where Adobe Analytics scripts are being blocked unless we add 'unsafe-eval' to the script-src directive.

However, our security guidelines specifically aim to avoid 'unsafe-eval', so this is not a viable option for us.

at.js 2.11.6

Vinay_Chauhan · 6/5/25

You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

Let me know if it helps.

View solution in original post

Vinay_Chauhan · 6/5/25

You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.

Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.

Let me know if it helps.

Elanchezhiyan_E · 6/6/25

Hi @Di_Sai,

Based on the screenshot you provided, it seems you have implemented the Nonce along with the Content Security Policy headers. So you need to update the adobe launch embed code with nonce value, and pass the nonce value to data layer. This is necessary because the Nonce value needs to be added to the Core extension, allowing all the custom code to be applied with server generated Nonce.

Here is what you need to do,

Create a data element to capture the nonce value from the data layer
Add this data element to the Core extension as outlined below,
Update the Core extension, and publish the changes into production.

Next include the Tracking server and the adobe data collection URL's in the relevant CSP headers, (script-src, connect-src, and img-src). Once this is completed, the Adobe scripts would function as expected and eliminating the need for 'unsafe-eval'.

I hope this resolves your issue.
Let me know if you need any further assistance..!

Di_Sai · 6/9/25

Seems to be not working with the above approach, please let me know if anything is missed

window.dataLayer = window.dataLayer || [];
window.dataLayer.push({
nonce: '<%= nonceValue %>' // Replace dynamically with your framework/server logic
});

Elanchezhiyan_E · 6/12/25

You are using the Google's data Layer Approach.

Ensure that you add the Nonce value to the Adobe Launch Code by including an additional attribute, such as 'nonce', also need to add one more attribute called data-nonce (any custom name of your choice) as shown below,

The reason adding data-nonce is that the nonce attribute cannot be directly retrieved, as Google blocks it by default.

I have implemented the same for Launch and GTM also.

try this approach and create a data element as follows,

then refer the data element to the Core extension.

I hope this will work.

Good Luck..!

Sukrity_Wadhwa · 6/25/25

Hi @Di_Sai,

Were you able to resolve this query with the help of the provided solutions, or do you still need further assistance? Please let us know. If any of the answers were helpful in moving you closer to a resolution, even partially, we encourage you to mark the one that helped the most as the 'Correct Reply.'

Thank you!

Adobe Analytics

Adobe Analytics Scripts Blocked by CSP – Need Guidance

Sukrity Wadhwa

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe