Help
BenReppe
Community Manager
Community Manager

Implementing Nonce Support for Enhanced CSP Security in TC

 

Nonce Support for Tag Control

What is a Nonce?

A nonce (short for "number used once") is a unique cryptographic token assigned for each request. It is a vital component of Content Security Policy (CSP) to authorize the execution of specific inline scripts while mitigating unauthorized script injections.

Purpose of a Nonce

  • Enhances web application security by enabling a strict CSP.
  • Allows specific inline scripts to execute, reducing the risk of cross-site scripting (XSS) attacks.

For additional insights, refer to the MDN Web Docs on Content Security Policies (CSP).

 

How to Add a Nonce Attribute in the OMNI Tag

To add a nonce attribute to the OMNI tag via Evidon Tag Control, follow these steps:

1. Login to Evidon Tag Control.

2. Click on Generate Tag.

3. Select the option to Allow Nonce Attribute.

Once enabled, the nonce attribute is automatically included in the OMNI tag.

 

Example OMNI Tag with Nonce:

<script companyid="<ID>" nonce="{UNIQUE_GENERATED_NONCE}" src="https://c.evidon.com/dg/dg.js"></script>

 
Nonce Support for Tag Control 1.docx.png
 

Two Ways to Add a Nonce

1. Using the Global Property

Assign a nonce value to the global property window.__UNIQUE_CSP_NONCE before the OMNI tag (e.g., dg.js file) is executed. 

Important: This approach is not recommended due to potential security risks, as the nonce value may become exposed.

2. Adding a Nonce to the OMNI Tag

Replace {UNIQUE_GENERATED_NONCE} placeholder with a dynamically generated value for each request.

This ensures the nonce is securely applied to all inline scripts managed by Evidon.

 

CSP Integration

When generating a CSP policy using Evidon Tag Control, the nonce value is automatically included if configured.

Example CSP with Nonce:

(For demonstration purposes only. Configure according to your specific CSP requirements.)

<meta http-equiv="Content-Security-Policy" name="evidon-TagControlV2" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.betrad.com *.evidon.com *.evidondev.com; script-src 'self' 'nonce-8IBTHwOdqNKAWeKl7plt8g==';">

 

Key Notes for Third-Party Tags

  • Evidon does not manage third-party tags.
  • You must configure the nonce attribute for third-party scripts following their specific documentation.

For additional assistance or questions, contact our support team at support@crownpeak.com.

Labels (1)
Labels:
0 Kudos
Rate this article:

Can't find what you are looking for?

Find Answers

Search our DG Forum to find answers to questions asked by other DG users.

Ask a Question

No luck? Ask a question. Our Product and Support teams are monitoring the Forum and typically respond within 48 hours.

Ask a Question

Latest Topics

Report on cookie acceptance rate

DG Forum

Dialog v2

DG Forum

Evidon Race condition with intialization

DG Forum

Translation for Privacy Request Form?

DG Forum

Banner Configuration based on IP/Domain

DG Forum
View all forum posts ≫