Improvement
Jul 8, 2025
To further secure your AI Commerce Cloud storefront, all inline scripts now require a unique, one-time “safety stamp” (nonce) that is generated fresh for each visitor. If a script does not include this nonce, it is automatically blocked by the browser.
Why this matters:
Prevents attackers from injecting malicious scripts into your storefront.
Each nonce is unique per page load and cannot be guessed or reused, significantly increasing security.
Protects your customers and strengthens trust in your brand.
Important implications for you:
Inline JavaScript snippets—such as those pasted directly into WYSIWYG editors or WordPress editors—will no longer execute, since they do not receive a nonce.
To continue using custom scripts or widgets, move your JavaScript code into trusted external files. These must be hosted on an approved domain and whitelisted in /app/csp.js.
Scripts in files like page.service.js automatically receive a nonce, so keep access to these files strictly controlled.
Key takeaway:
No immediate action is required for most merchants, and your store is now safer by default. However, if you rely on inline JavaScript, be sure to migrate those scripts to external, approved files to ensure smooth functionality. This update strengthens your security posture without sacrificing flexibility or performance.
