Content Security Policies and the Experience Cloud Identity Service
- Topics:
- Identities
- Integrations
CREATED FOR:
- Developer
- User
- Admin
- Leader
A Content Security Policy (CSP) is an HTTP header and security feature that gives browsers control over what type of resources are loaded on a Web page. Review this section if you use the ID service and have strict CSPs that use whitelists to accept resources from trusted domains. You will need to add the Adobe domains listed here to your CSP whitelists.
CSP Review
CSPs use the HTTP header Content-Security-Policy to control the type of resources a browsers accept or load on a page. Applying a CSP can help you prevent:
- JavaScript files from loading if the source is unknown or not included in a whitelist.
- Cross-site scripting (XXS) attacks.
- Data injection attacks.
- Site defacement attacks.
- Malware distribution.
The use of CSPs are common and well-understood. It is not the purpose of this documentation to explain CSPs in detail (see the related information links below for more information). What is important is that you understand what Adobe domain names you should add to a CSP if you use these and have tight security policies. Adding these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.
Experience Cloud Domains for Whitelisting
Add these domain names or URLs to your CSP for each list Experience Cloud solution or service that you use.
| Experience Cloud Solution or Service | Description |
|---|---|
| AppMeasurement |
Modify your CSP to include the following:
|
| Target | Modify your CSP to include *.tt.omtrdc.net. |
| Experience Cloud ID Service and Audience Manager |
Modify your CSP to include the domains below.
Calls to the demdex.net domain are used to generate the Cookies and the Experience Cloud Identity Service and for ID syncs. See also, Understanding Calls to the Demdex Domain. |
| Activity Map plugin | Modify your CSP to include *.adobe.com. **Note**: If you already had Activity Map installed prior to January, 2020, your browser will still see an initial request to *.omniture.com, but will be redirected to *.adobe.com. |
| Advertising Analytics | If you have controls on query string parameters, be sure to whitelist the parameters `s_kwcid` and `ef_id`. Technically, Advertising Analytics only uses `s_kwcid`, but if you pick up Ad Cloud Search or DSP, it also uses `ef_id`. These query string parameters are alphanumeric. The `s_kwcid` parameter uses the “!” character and the `ef_id` parameter uses the “:” character. If you are blocking the “!” character in the URL, you need to whitelist it as well. |
Experience Cloud Services
- Identity Service Help
- Overview
- Implementation
- Implementation methods
- Implementation guides
- Implement with Experience Platform tags
- Implement for Analytics
- Implement for Target
- Implement for Analytics and Audience Manager
- Implement for Analytics, Audience Manager, and Target
- Using the ID Service with A4T and a Server-side Implementation of Target
- Direct Integration with the ID Service
- Direct Integration Use Cases
- Test and verify the ID Service
- Opt-in Service
- ID Service API
- ID Service API Overview
- Configuration
- Configurations overview
- audienceManagerServer and audienceManagerServerSecure
- cookieDomain
- cookieLifetime
- disableIdSyncs
- disableThirdPartyCalls
- disableThirdPartyCookies
- idSyncAttachIframeOnWindowLoad
- idSyncContainerID
- idSyncSSLUseAkamai
- loadTimeout
- overwriteCrossDomainMCIDAndAID
- resetBeforeVersion
- sdidParamExpiry
- Secure and SameSite configurations
- secureCookie
- useCORSOnly
- whitelistParentDomain and whitelistIframeDomains
- Methods
- Methods
- appendSupplementalDataIDTo
- appendVisitorIDsTo (Cross-Domain Tracking)
- callTimeOut Methods
- ID Synchronization by URL or Data Source
- getInstance
- getAnalyticsVisitorID
- getCustomerIDs
- setCustomerIDs
- getMarketingCloudVisitorID
- getLocationHint
- getVisitorValues
- isClientSideMarketingCloudVisitorID
- resetState
- Reference
- Reference Overview
- Analytics Reference
- Analytics Reference Overview
- CNAME Implementation Overview
- Setting Analytics and Experience Cloud IDs
- Order of Operations for Analytics IDs
- ID Service Migration Decision Points
- ID Service Migration Scenarios
- Analytics and Identity Requests
- Server-side Implementation Mixed with JavaScript
- The ID Service Grace Period
- Google Chrome SameSite labelling changes
- Content Security Policies and the ID Service
- COPPA Support in the ID Service
- CORS Support in the ID Service
- Customer IDs and Authentication States
- ECID library methods in a Safari ITP world
- Identifying Unique Visitors
- Get Region and User IDs From the AMCV Cookie or the ID Service
- Requirements for the ID Service
- Video Heartbeat and the ID Service
- Data Workbench and the ID Service
- SHA256 Hashing Support for setCustomerIDs
- FAQs
- Release notes for ID Service