Content Security Policy - CSP

A Content Security Policy (CSP) helps improve website security by enabling the detection and mitigation of certain types of attacks, including XSS (Cross Site Scripting) attacks and content injections.

To allow Eulerian to operate within a CSP context, you need to:
    Add a “nonce” token to the script calls in your HTML document. This token is randomly generated by your server for each call and injected into the returned content. In our example, the token is inserted in place of “{TOKEN_NONCE}”.
    Add the data collection domain and the "nonce" in script-src to your HTTP Meta or Header "Content-Security-Policy".


CSP Template

CSP Meta or HTTP Header

 Script calls
script-src my.tracking-domain.com 'nonce-{TOKEN_NONCE}'



 <script nonce="{TOKEN_NONCE}">
 (function(e,a){var i=e.length,y=5381,k='script',s=window,v=document,o=v.createElement(k);for(;i;){i-=1;y=(y*33)^e.charCodeAt(i)}y='_EA_'+(y>>>=0);(function(e,a,s,y){s[a]=s[a]||function(){(s[y]=s[y]||[]).push(arguments);s[y].eah=e;};}(e,a,s,y));i=new Date/1E7|0;o.ea=y;y=i%26;o.async=1;o.src='//'+e+'/'+String.fromCharCode(97+y,122-y,65+y)+(i%1E3)+'.js?2';s=v.getElementsByTagName(k)[0];s.parentNode.insertBefore(o,s);})
 ('my.tracking-domain.com','EA_push');
<script nonce="{TOKEN_NONCE}">
</script> 

 EA_push();
CSP with example token: 3zs4IFgbAL
</script>




CSP Meta or HTTP Header

 Script calls
script-src my.tracking-domain.com 'nonce-3zs4IFgbAL'



 <script nonce="3zs4IFgbAL">
 (function(e,a){var i=e.length,y=5381,k='script',s=window,v=document,o=v.createElement(k);for(;i;){i-=1;y=(y*33)^e.charCodeAt(i)}y='_EA_'+(y>>>=0);(function(e,a,s,y){s[a]=s[a]||function(){(s[y]=s[y]||[]).push(arguments);s[y].eah=e;};}(e,a,s,y));i=new Date/1E7|0;o.ea=y;y=i%26;o.async=1;o.src='//'+e+'/'+String.fromCharCode(97+y,122-y,65+y)+(i%1E3)+'.js?2';s=v.getElementsByTagName(k)[0];s.parentNode.insertBefore(o,s);})
 ('my.tracking-domain.com','EA_push');
<script nonce="3zs4IFgbAL">
</script> 

 EA_push();
CSP functional examples
</script>




CSP: script-src 'self' foo.bar.com;
  • Valid:
 Blocked:
<script src="//foo.bar.com/file.js" />
  • 
<script>
 console.log('Hello');
CSP:
 </script>
script-src 'self' foo.bar.com 'nonce=xxxx';
  • Valid:
 <script src="//foo.bar.com/file.js" />
<script nonce="xxxx">
 console.log('Hello');
CSP:
 </script>
script-src 'self' foo.bar.com 'unsafe-inline';
  • Valid:
 <script src="//foo.bar.com/file.js" />
<script>
 console.log('Hello');
 </script>

If you wish to use LiveTagging (which is highly recommended, especially for customer support), you will also need to add the authorization on the style-src of your CSP. Indeed, files CSS managing the display of the LiveTagging window must be allowed to load.
The 'nonce' method allows us to return the 'nonce' token in Tag Management. For greater compatibility, it is recommended to also add the domains of third-party tags to your CSP. In the case of ad-hoc tags, there is no guarantee that the 'nonce' will be implemented correctly.