Update Cross-Origin Resource Sharing (CORS) policy for Activity Map

Last update: 2023-09-27



  • Analytics

Sometimes, the Activity Map tool cannot load in the browser due to the Cross-Origin Resource Sharing (CORS) policy on customer’s website domain. This can be validated by looking at the Console errors, which will show an error like this:

Refused to frame ‘https://sitecatalyst.omniture.com/’ because it violates the following Content Security Policy directive: "frame-src *.xyz.com *.facebook.com c.comenity.net *.google.com…


To fix this, update Cross-Origin Resource Sharing (CORS) policy as below to have Activity Map work on site:

Wild card domains

  • For ‘connect-src’, add sitecatalyst.omniture.com
  • For ‘frame-src’, add *.omniture.com

No wild card domains

  • For ‘connect-src’, add sitecatalyst.omniture.com
  • For ‘frame-src’, add sitecatalyst.omniture.com authorize.omniture.com sc5.omniture.com

The thing to take note of for the No wild card domains, is that we have sc5.omniture.com. This is for a company in Pacific Northwest (PNW) data center. If the company was in the:

  • London data center, use sc3.omniture.com
  • Singapore data center, use sc4.omniture.com

We recommend using the wild card domains, in case the Experience Cloud Login process ever changes in the future and uses different domains.

On this page