Content Security Policies and the Experience Cloud Identity Service

A Content Security Policy (CSP) is an HTTP header and security feature that gives browsers control over what type of resources are loaded on a Web page. Review this section if you use the ID service and have strict CSPs that use whitelists to accept resources from trusted domains. You will need to add the Adobe domains listed here to your CSP whitelists.

CSP Review

CSPs use the HTTP header Content-Security-Policy to control the type of resources a browsers accept or load on a page. Applying a CSP can help you prevent:

  • JavaScript files from loading if the source is unknown or not included in a whitelist.
  • Cross-site scripting (XXS) attacks.
  • Data injection attacks.
  • Site defacement attacks.
  • Malware distribution.

The use of CSPs are common and well-understood. It is not the purpose of this documentation to explain CSPs in detail (see the related information links below for more information). What is important is that you understand what Adobe domain names you should add to a CSP if you use these and have tight security policies. Adding these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.

Experience Cloud Domains for Whitelisting

Add these domain names or URLs to your CSP for each list Experience Cloud solution or service that you use.

Experience Cloud Solution or Service
Description
AppMeasurement

Modify your CSP to include the following:

  • *.2o7.net
  • *.omtrdc.net
Target
Modify your CSP to include *.tt.omtrdc.net.
Experience Cloud ID Service and Audience Manager

Modify your CSP to include the domains below.

  • connect-src 'self' https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
  • img-src 'self' https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
  • script-src 'self' https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
  • frame-src 'self' https://*.demdex.net;
  • If you use Adobe Launch to deploy tags, you also have to add https://assets.adobedtm.com to the list of domains.

Calls to the demdex.net domain are used to generate the Cookies and the Experience Cloud Identity Service and for ID syncs. See also, Understanding Calls to the Demdex Domain.

Activity Map plugin
Modify your CSP to include *.adobe.com. **Note**: If you already had Activity Map installed prior to January, 2020, your browser will still see an initial request to *.omniture.com, but will be redirected to *.adobe.com.
Advertising Analytics
If you have controls on query string parameters, be sure to whitelist the parameters `s_kwcid` and `ef_id`. Technically, Advertising Analytics only uses `s_kwcid`, but if you pick up Ad Cloud Search or DSP, it also uses `ef_id`. These query string parameters are alphanumeric. The `s_kwcid` parameter uses the “!” character and the `ef_id` parameter uses the “:” character. If you are blocking the “!” character in the URL, you need to whitelist it as well.
recommendation-more-help
9c9e8ca9-9f7e-42c9-a5d5-a0d82776362a