CSP for Adobe Tag Manager
Using Adobe Tag Manager with Content Security Policy
Adobe's popular Tag manager that injects other services into your web pages. Note that this package is for the Experience Cloud ID Service and Audience Manager. There are other packages for Appmeasurement, Target, Activity Map Plugin, and Advertising analytics.
Allow these directives in your CSP, to support Adobe Tag Manager in your Content Security Policy:
script-src
'unsafe-eval'
https://*.demdex.net
https://*.everesttech.net
https://assets.adobedtm.com
https://commerce.adobedtm.com;
frame-src
*.everesttech.net
*.demdex.net;
child-src
*.everesttech.net
*.demdex.net;
img-src
data:
*.demdex.net
*.everesttech.net
*.adobedtm.com;
connect-src
*.demdex.net
*.everesttech.net
*.adobedtm.com;
The main domains used by Adobe Tag Manager are:
demdex.net
everesttech.net
adobedtm.com
Sources:
Example Content-Security-Policy violations / reports:
Using the above CSP package, will fix these errors that you may be seeing in your console logs:
script-src
/script-src-elem
/script-src-attr
violations
Refused to load the script 'https://assets.adobedtm.com/extensions/*/AppMeasurement.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
If you see inline script errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.
If you see inline eval() errors, RapidSec will generate your CSP with the specific content of the errors:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'report-sample'".
style-src
/style-src-elem
/style-src-attr
violations
Refused to load the stylesheet 'demdex.net' because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.
font-src
violations
Refused to load the font 'demdex.net' because it violates the following Content Security Policy directive: "font-src 'self'"
img-src
violations
Refused to load the image 'demdex.net' because it violates the following Content Security Policy directive: "img-src 'self'".
frame-src
violations
[Report Only] Refused to frame 'demdex.net' because it violates the following Content Security Policy directive: "frame-src 'self'".
form-action
violations
[Report Only] Refused to send form data to 'demdex.net' because it violates the following Content Security Policy directive: "form-action 'self'".
connect-src
violations
[Report Only] Refused to connect to 'demdex.net' because it violates the following Content Security Policy directive: "connect-src 'self'"