Update Cross-Origin Resource Sharing (CORS) policy for Activity Map

For the Activity Map to work update Cross-Origin Resource Sharing (CORS) policy to use Wild card domains.

Description description


  • Customer Journey Analytics
  • Analytics


Sometimes, the Activity Map tool cannot load in the browser due to the  Cross-Origin Resource Sharing (CORS) policy on customer’s website domain. This can be validated by looking at the Console errors, which will show an error like this:

Refused to frame ‘https://sitecatalyst.omniture.com/’ because it violates the following Content Security Policy directive: "frame-src *.xyz.com *.facebook.com c.comenity.net *.google.com…

Resolution resolution

To fix this, update Cross-Origin Resource Sharing (CORS) policy as below to have Activity Map work on site:

Wild card domains

  • For ‘connect-src’, add sitecatalyst.omniture.com
  • For ‘frame-src’, add *.omniture.com

No wild card domains

  • For ‘connect-src’, add sitecatalyst.omniture.com
  • For ‘frame-src’, add sitecatalyst.omniture.com authorize.omniture.com sc5.omniture.com

The thing to take note of for the No wild card domains, is that we have sc5.omniture.com. This is for a company in Pacific Northwest (PNW) data center. If the company was in the:

  • London data center, use sc3.omniture.com
  • Singapore data center, use sc4.omniture.com

We recommend using the wild card domains, in case the Experience Cloud Login process ever changes in the future and uses different domains.