Newer Version Available
Content Security Policy Restrictions in Communities
There are three levels of script security, providing enough flexibility to prevent affecting existing communities and code.
| Script Security Level | Description |
|---|---|
| Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts | Recommended—provides maximum security.
|
| Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts | Provides moderate security.
|
Stricte CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.
In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in in Community Builder.
What Do I Need to Do and When?
To make sure that your community works as expected, the “Allow Inline Scripts and Script Access to Any Third-party Host” setting maintains the same security level as before Winter ‘19.