Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy Restrictions in Communities

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page.

In Winter ’19, the “Enable Stricter Content Security Policy for Lightning Components in Communities” critical update was replaced with new CSP options in Settings | Security in Community Builder.

Note

There are three levels of script security, providing enough flexibility to prevent affecting existing communities and code.

Script Security Level Description
Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts Recommended—provides maximum security.
  • Blocks all inline scripts from running in your site
  • Allows non-script resources, such as images, from approved third-party hosts to display
Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts Provides moderate security.
  • Blocks script hosts that are not explicitly whitelisted
  • Allows non-script resources, such as images, from approved third-party hosts to display

Stricte CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in Settings | Advanced in Community Builder.

What Do I Need to Do and When?

To make sure that your community works as expected, the “Allow Inline Scripts and Script Access to Any Third-party Host” setting maintains the same security level as before Winter ‘19.

However, in Spring ‘19 (February 2019), Strict CSP becomes the standard CSP setting for all new communities. And in Winter ‘20 (October 2019), the current default setting is being removed for existing communities. Consider the level of security your community requires, and decide when to take the required steps.

We recommend using Chrome to develop your site because we added extra error guidance when viewing your site. After you set the CSP security level for your community, test it in other browsers to make sure that your customers have a good experience.

Note