CSP Nonce headers in AEM for Launch

stephanef891866

17-03-2020

Hi, 

 

We are an Adobe house and are using Launch for our deployment of tags as well as AEM in some key areas of our platform. So far we have been using hashes in our CSPs to allow specific inline script to be executed on the front-end.

Unfortunately, we also realised that because of how Launch builds its library, the hashes are very dependent on some internal ids Launch generate. 

 

Example:

 

_satellite["__runScript1"](function(event, target) {
 // the javascript code
});

 

 

The culprit in the code above is runScript1.

The id (1,2,3 etc.) is incremented during the build process and changes every time a new tag is added, removed etc. on a specific page, leading to a new value and therefore the need for a new hash....

 

The Launch team officially recommends using nonce, not hashes. The challenge our dev team has expressed is that the headers in AEM seem to be cached. And they haven't found any way so far to keep the caching for the values that do not change, while adding a "nonce" , that by design, requires to be updated on every single page load. 

 

Can anyone advise on the best way to solve that conendrum?

 

Few references:

Nonce: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Launch CSP recommendations: https://docs.adobe.com/content/help/en/launch/using/reference/client-side-info/content-security-poli...

 

Thanks!

cache csp header launch nonce security

Accepted Solutions (0)

Answers (0)