Configuring a Content Security Policy with OneTrust CDN
Content Security Policy (CSP) is a security measure you can leverage in your CDN (i.e., the banner script) that helps protect against cross-site scripting and data injection.
CSPs prevent the use of inline styles unless an unsafe keyword is added to the CSP. OneTrust offers a nonce solution you can leverage as an alternative to unsafe keywords in CSP.
For more information, visit the MDN's resources on CSPs here.
Implementing the CSP solution
-
Publish or re-publish your domain script. For more information, see Implementing Cookie Compliance Scripts.
-
Add the OneTrust CDN script sources to your CSP.
For example, if your CDN is
// OneTrust Cookies Consent Notice start for onetrust.com <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"" type="text/javascript" charset="UTF-8" data-domain-script="XXXXXX" ></script> <script type="text/javascript">function OptanonWrapper() {} </script> // OneTrust Cookies Consent Notice end for onetrust.comand you have consent logging enabled, you will need to add the following domains to your CSP:
- cdn.cookielaw.org
- cookie-cdn.cookiepro.com
Note: Only applicable if you are using CookiePro.
- privacyportal.onetrust.com
- geolocation.onetrust.com
TIP: You can use wildcarding for onetrust.com, i.e., *onetrust.com.
-
On your server, generate and populate nonce values that will update on each page load for the necessary scripts and stylesheets (OneTrust CDN and others if applicable). The nonce also needs to populate in the CSP
script-srcandstyle-src.For example:
<script nonce="PPAjsdRsCmdup5UwtyLkdg==" src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"" type="text/javascript" charset="UTF-8" data-domain-script="XXXXXXX" ></script>The nonce must be unique for each HTTP response and should be generated using a cryptographically secure random generator. The nonce should have sufficient length, so aim for at least 128 bits of entropy (32 hex characters, or about 24 base64 characters).
Updated 6 months ago