Content Security Policies and the Experience Cloud ID Service

A Content Security Policy (CSP) is an HTTP header and security feature that gives browsers control over what type of resources are loaded on a Web page. Review this section if you use the ID service and have strict CSPs that use whitelists to accept resources from trusted domains. You will need to add the Adobe domains listed here to your CSP whitelists.

CSP Review

CSPs use the HTTP header Content-Security-Policy to control the type of resources a browsers accept or load on a page. Applying a CSP can help you prevent:

  • JavaScript files from loading if the source is unknown or not included in a whitelist.
  • Cross-site scripting (XXS) attacks.
  • Data injection attacks.
  • Site defacement attacks.
  • Malware distribution.

The use of CSPs are common and well-understood. It is not the purpose of this documentation to explain CSPs in detail (see the related information links below for more information). What is important is that you understand what Adobe domain names you should add to a CSP if you use these and have tight security policies. Adding these domains lets visitor browsers that access your site make those important calls to Experience Cloud resources that you use.

Experience Cloud Domains for Whitelisting

Add these domain names or URLs to your CSP for each list Experience Cloud solution or service that you use.

Experience Cloud Solution or Service Description

AppMeasurement

Modify your CSP to include the following:

  • *.2o7.net
  • *.omtrdc.net

Target

Modify your CSP to include *.tt.omtrdc.net.

Visitor ID Service

Modify your CSP to include *.demdex.net.

Calls to the demdex.net domain are used to generate the Cookies and the Experience Cloud ID Service and for ID syncs. See also, Understanding Calls to the Demdex Domain.