Content Security Policies and the Experience Cloud Identity Service
A Content Security Policy (CSP) is an HTTP header and security feature that gives browsers control over what type of resources are loaded on a Web page. Review this section if you use the ID service and have strict CSPs that use whitelists to accept resources from trusted domains. You will need to add the Adobe domains listed here to your CSP whitelists.
CSP Review
CSPs use the HTTP header Content-Security-Policy
to control the type of resources a browsers accept or load on a page. Applying a CSP can help you prevent:
- JavaScript files from loading if the source is unknown or not included in a whitelist.
- Cross-site scripting (XXS) attacks.
- Data injection attacks.
- Site defacement attacks.
- Malware distribution.
The use of CSPs are common and well-understood. It is not the purpose of this documentation to explain CSPs in detail (see the related information links below for more information). What is important is that you understand what Adobe domain names you should add to a CSP if you use these and have tight security policies. Adding these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.
Experience Cloud Domains for Whitelisting
Add these domain names or URLs to your CSP for each list Experience Cloud solution or service that you use.
Modify your CSP to include the following:
- *.2o7.net
- *.omtrdc.net
Modify your CSP to include the domains below.
- connect-src 'self'
https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
- img-src 'self'
https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
- script-src 'self'
https://*.demdex.net https://cm.everesttech.net https://assets.adobedtm.com;
- frame-src 'self'
https://*.demdex.net;
- If you use Adobe Launch to deploy tags, you also have to add
https://assets.adobedtm.com
to the list of domains.
Calls to the demdex.net domain are used to generate the Cookies and the Experience Cloud Identity Service and for ID syncs. See also, Understanding Calls to the Demdex Domain.