This article describes Content Security Policy (CSP) and how to integrate it with your AdSense ad code. Note that publishers are not required to use CSP. If you do want to use CSP, follow the steps below to ensure your AdSense code works correctly when you enable CSP.
What is CSP
Content Security Policy (CSP) is a means of securing your web page by limiting what resources and scripts are allowed to load and execute. You can enable CSP by setting a Content-Security-Policy header in HTTP responses from your web server.
There are two standard ways to configure CSP:
- Specify an allowlist of domains that can inject their resources on the page.
- Specify a random nonce, with which resources on the page must be marked in order to load. This approach is known as strict CSP.
Because the domains that the AdSense ad code uses change over time, we only support strict CSP (option 2). This approach removes the need to maintain a rolling list of domains that might become outdated and break your site.
Setting up strict CSP with the AdSense ad code
To enable CSP on your web server, follow the steps outlined in Adopt a strict CSP which explains how to set up the CSP header and apply the nonce to every script tag on your page, including the AdSense code. The AdSense code specifically supports the following CSP directives:
Content-Security-Policy:
object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'none';
report-uri https://your-report-collector.example.com/You can choose a more permissive policy if it fits your use case. More restrictive policies may break without notice.
Code example
Here's an example of the AdSense code with strict CSP:
<script nonce="${nonce}" async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=i-gno/re-d1234&host=ca-host-pub-5678" crossorigin="anonymous">
</script>
<ins class="adsbygoogle"
style="display:inline-block;width:728px;height:90px"
data-ad-client="i-gno/re-d1234"
data-ad-host="ca-host-pub-5678">
</ins>
<script nonce="${nonce}">
(adsbygoogle = window.adsbygoogle || []).push({});
</script>Testing
We recommend that you test your policies first by setting the Content-Security-Policy-Report-Only header instead of Content-Security-Policy. The header reports violations but still allows them on the page.
