Hi Team,
We’re currently implementing a strict Content Security Policy (CSP) in our web application, and we’ve encountered an issue where Adobe Analytics scripts are being blocked unless we add 'unsafe-eval' to the script-src directive.
However, our security guidelines specifically aim to avoid 'unsafe-eval', so this is not a viable option for us.
at.js 2.11.6
You might want to try switching to the latest async embed code from Adobe Launch — it’s designed to be more CSP-friendly and doesn’t rely on eval, which helps avoid needing 'unsafe-eval'.
Also, it’s a good idea to review any custom code in Launch (like in rules or data elements) to make sure nothing is using new Function() or similar patterns, since those can also trigger CSP issues even if the main library is compliant. This approach could help you stay within your security guidelines.
Let me know if it helps.
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.