[Security] Improve CSP Support by Adding Nonce Compatibility for Marketo’s Injected Scripts

[Security] Improve CSP Support by Adding Nonce Compatibility for Marketo’s Injected Scripts

Hi all,

 

To enhance the security of our domain, https://planonsoftware.com, we are working to enable nonces in our Content Security Policy (CSP) header. As part of our testing phase, we enabled nonce support in Reporting Only mode in our development environment.

 

During this process, we encountered an issue with Marketo. Marketo injects a <style> tag for the tool 'modernizr', which doesn't comply with nonce-based CSP. We considered adding the hash of the modernizr file to our CSP, which could solve the issue temporarily, as suggested in another Idea. However, this solution would break if Adobe Marketo changes the script in the future. Therefore, it would be ideal for Marketo to address this issue directly by supporting nonces, as it's a basic security best practice.

P.S. We also reported this as an issue (Case Number 02814654), but since it was classified as new functionality, it wasn't resolved. We were directed to raise an Idea here on Marketo Nation so that the Product Management team can review it for the roadmap. I'd strongly encourage prioritizing this issue to align with modern security standards.

1 Comment
PatrickSmits
Level 1

To help resolve the issue, I'm adding a few screenshots to help you locate and identify the issue.

Screenshot 2024-11-21 105927.png

Screenshot 2024-11-21 105813.png