Expand my Community achievements bar.

SOLVED

Setting Nonce for experiences containing Javascript in Adobe Target

Avatar

Level 4

Hi Everyone,

I am currently integrating Adobe Target into a site that uses Content Security Policy (CSP) headers with nonce values for third-party and inline scripts:

Content-Security-Policy: script-src 'nonce-<value>'

I am using Adobe Launch to load Target. Adobe Launch supports nonce and successfully loads Target along with other extensions and rules.

However, I am encountering an issue with Javascript in the Target experiences. These experiences are based on Target Experience Templates (https://github.com/Adobe-Marketing-Cloud/target-experience-templates) that is, consist of a <script> element with Javascript inside. It appears that Target does not insert the nonce when placing the script on the page.

Is there a way to instruct Adobe Target to specify the nonce when inserting Javascript experiences?

Any guidance would be greatly appreciated.

nonce-issue-inline-scripts.png

1 Accepted Solution

Avatar

Correct answer by
Level 4

Ok, it turned out that I just needed to set cspScriptNonce in targetGlobalSettings.

 

const nonce = <getting-the-nonce-value>;

window.targetGlobalSettings = {
  . . .
  cspScriptNonce: nonce
};

 

View solution in original post

2 Replies

Avatar

Correct answer by
Level 4

Ok, it turned out that I just needed to set cspScriptNonce in targetGlobalSettings.

 

const nonce = <getting-the-nonce-value>;

window.targetGlobalSettings = {
  . . .
  cspScriptNonce: nonce
};

 

Avatar

Community Advisor

Hi @Dmytro_Panchenk Good to know it's worked out for you. 

yes, this is the right config for CSP nonces to be added into Script under targetGlobalSetting,  

https://experienceleague.adobe.com/en/docs/target-dev/developer/client-side/at-js-implementation/fun...