Content Security Policies and the Experience Cloud Identity Service
A Content Security Policy (CSP) is an HTTP header and security feature that gives browsers control over what type of resources are loaded on a Web page. Review this section if you use the ID service and have strict CSPs that use whitelists to accept resources from trusted domains. You will need to add the Adobe domains listed here to your CSP whitelists.
CSPs use the HTTP header
Content-Security-Policyto control the type of resources a browsers accept or load on a page. Applying a CSP can help you prevent:
- Cross-site scripting (XXS) attacks.
- Data injection attacks.
- Site defacement attacks.
- Malware distribution.
The use of CSPs are common and well-understood. It is not the purpose of this documentation to explain CSPs in detail (see the related information links below for more information). What is important is that you understand what Adobe domain names you should add to a CSP if you use these and have tight security policies. Adding these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.
Experience Cloud Domains for Whitelisting
Add these domain names or URLs to your CSP for each list Experience Cloud solution or service that you use.
Experience Cloud Solution or Service
Modify your CSP to include the following:
Modify your CSP to include
Experience Cloud ID Service and Audience Manager
Modify your CSP to include the domains below.
Activity Map plugin
Modify your CSP to include *.adobe.com. **Note**: If you already had Activity Map installed prior to January, 2020, your browser will still see an initial request to *.omniture.com, but will be redirected to *.adobe.com.
If you have controls on query string parameters, be sure to whitelist the parameters `s_kwcid` and `ef_id`. Technically, Advertising Analytics only uses `s_kwcid`, but if you pick up Ad Cloud Search or DSP, it also uses `ef_id`. These query string parameters are alphanumeric. The `s_kwcid` parameter uses the “!” character and the `ef_id` parameter uses the “:” character. If you are blocking the “!” character in the URL, you need to whitelist it as well.