Hi all,
To enhance the security of our domain, https://planonsoftware.com, we are working to enable nonces in our Content Security Policy (CSP) header. As part of our testing phase, we enabled nonce support in Reporting Only mode in our development environment.
During this process, we encountered an issue with Marketo. Marketo injects a <style> tag for the tool 'modernizr', which doesn't comply with nonce-based CSP. We considered adding the hash of the modernizr file to our CSP, which could solve the issue temporarily, as suggested in another Idea. However, this solution would break if Adobe Marketo changes the script in the future. Therefore, it would be ideal for Marketo to address this issue directly by supporting nonces, as it's a basic security best practice.
P.S. We also reported this as an issue (Case Number 02814654), but since it was classified as new functionality, it wasn't resolved. We were directed to raise an Idea here on Marketo Nation so that the Product Management team can review it for the roadmap. I'd strongly encourage prioritizing this issue to align with modern security standards.
.png)