Configuring a Content Security Policy with OneTrust CDN

Content Security Policy (CSP) is a security measure you can leverage in your CDN (i.e., the banner script) that helps protect against cross-site scripting and data injection.

CSPs prevent the use of inline styles unless an unsafe keyword is added to the CSP. OneTrust offers a nonce solution you can leverage as an alternative to unsafe keywords in CSP.

For more information, visit the MDN's resources on CSPs here.

Implementing the CSP solution

  1. Publish or re-publish your domain script. For more information, see Implementing Cookie Compliance Scripts.

  2. Add the OneTrust CDN script sources to your CSP.

    For example, if your CDN is

    // OneTrust Cookies Consent Notice start for
    <script src=""" type="text/javascript" charset="UTF-8" data-domain-script="XXXXXX" ></script>
    <script type="text/javascript">function OptanonWrapper() {} </script>
    // OneTrust Cookies Consent Notice end for

    and you have consent logging enabled, you will need to add the following domains to your CSP:


    Note: Only applicable if you are using CookiePro.


    TIP: You can use wildcarding for, i.e., *

  3. On your server, generate and populate nonce values that will update on each page load for the necessary scripts and stylesheets (OneTrust CDN and others if applicable). The nonce also needs to populate in the CSP script-src and style-src.

    For example:

    <script nonce="PPAjsdRsCmdup5UwtyLkdg==" src=""" type="text/javascript" charset="UTF-8" data-domain-script="XXXXXXX" ></script>

    The nonce must be unique for each HTTP response and should be generated using a cryptographically secure random generator. The nonce should have sufficient length, so aim for at least 128 bits of entropy (32 hex characters, or about 24 base64 characters).