Nonce Support for Universal Consent Platform (UCP)
A nonce (short for "number used once") is a unique cryptographic token designed to enhance web security. It plays a critical role in Content Security Policy (CSP) by ensuring that only authorized inline scripts execute, effectively preventing cross-site scripting (XSS) attacks and other code injection vulnerabilities.
Using nonces allows organizations to implement strict CSP policies while permitting trusted inline scripts to run securely. For more information, refer to the MDN Web Docs on Content Security Policies (CSP).
Adding a Nonce Attribute to the Site Notice Tag
The UCP Site Notice Tag supports nonce attributes, enabling compatibility with strict CSP configurations. To add a nonce:
- Log in to Privacy.
-
Navigate to the Site Notices page and click Get Site Notice Tag.
-
From the Select Tag Type dropdown, choose Site Notice Tag.
-
Check the option Allow Nonce Attribute.
-
Copy the script and deploy it on your website.
For further details on deploying a site notice and tag wrapping, refer to the documentation.
Methods for Adding a Nonce
Option 1: Using the Global Property
- Assign a nonce value to the global property window.__UNIQUE_CSP_NONCE before the UCP Evidon script tag executes.
- Note: This method is not recommended as it could expose the nonce value, compromising security.
Option 2: Directly Adding a Nonce to the Site Notice Tag
- Replace {{UNIQUE_GENERATED_NONCE}} placeholder with a dynamically generated value for each request.
This ensures the nonce is securely applied to all scripts managed by Evidon.
Adding a Nonce with the Evidon GTM Template
If you use Google Tag Manager (GTM) to deploy your scripts, you can configure nonce attributes by following Google's CSP Guidelines for GTM
Key Notes for Third-Party Tags
- Evidon does not manage third-party tags.
- Ensure the nonce attribute is configured for third-party scripts according to their specific guidelines.
For additional assistance or questions, reach out to our support team at support@crownpeak.com.