Adobe DTM Content Security Policy Block | Community
Skip to main content
M
malshalabi
Level 3
September 27, 2017

Adobe DTM Content Security Policy Block

  • September 27, 2017
  • 2 replies
  • 14387 views

Hi all

recently I've been with various discussions with Adobe Support to solve an issue I've been facing in my company by getting DTM library blocked by the Content Security Policy. Finally, we were able to solve the problem (not through Adobe support) by updating the CSP header to include the following:

"default-src 'self' 'unsafe-inline' *.adobedtm.com *.sc.omtrdc.net; font-src 'self' data:; img-src 'self' data: *.sc.omtrdc.net;";

I wanted to share this with you as Adobe didn't have any standards on how to deal with such a problem. And I'm hoping that Adobe get something documented ASAP

more details can be found here:

https://content-security-policy.com/

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

jantzen_b
Adobe Employee
jantzen_bAdobe Employee
Adobe Employee
September 29, 2017

Hi,

Thank you for posting your solution to this problem. I haven't heard of this particular issue before but If I see others facing it I'll be sure to point them here.

Thank you,
Jantzen

C
chrisgu15
October 31, 2017

Hi,

So I have also run into a similar issue, when the page load function fires our CSP blocks it as it does not allow for 'unsafe-eval'. Now I can add unsafe-eval to the header, but our security team does not allow us to. So I was wondering if there is something I could do?

Thanks,

Christian

M
malshalabiAuthor
Level 3
October 31, 2017
thebenrobb
Adobe Employee
thebenrobbAdobe Employee
Adobe Employee
May 13, 2019

For DTM both Launch, you'll need to add `unsafe-inline` to the security policy (you can add the domains as in the OP to limit it to a subset of domains).  The whole point of CSP is to block dynamic loading of scripts, which is sort of what tag managers do.

at.js 1.X also uses eval(), so if you're using Launch to deploy the Target extension (running at.js 1.X), then you'll also need to add `unsafe-eval`.  at.js 2.0+ no longer uses eval(), so if you want to make that move, you can deploy it with the current Target extension using custom code, or you can wait for the upcoming Target extension that uses at.js 2.

For Launch specifically, we are researching an approach that would let you:
1) generate a nonce on the server-side

2) write that none into your headers and into the data layer somewhere

3) create a data element that references your nonce

4) tell Launch what data element to use when it dynamically loads other scripts

This is the only method that we know of that would allow us to work within a restrictive CSP environment.

A
atomek79
September 3, 2021

Could you confirm that unsafe-eval is not needed for latest DTM? CSP still complains if I don't set unsafe-eval even with at.js 2+. 

Terms & ConditionsAccessibility statement

Loading footer...