Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy Restrictions in Communities

The Lightning Component framework uses Content Security Policy (CSP). CSP is a W3C standard for controlling the source of content that can be loaded on a page.

In Winter ’19, the “Enable Stricter Content Security Policy for Lightning Components in Communities” critical update was replaced with new CSP options in Settings | Security in Community Builder.

Note

There are three levels of script security, providing enough flexibility to prevent affecting existing communities and code.

Script Security Level Description
Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts Default setting for communities created in Spring ’19 (February 2019) and later.
Provides maximum security.
  • Blocks all inline scripts from running in your site
  • Allows non-script resources, such as images, from approved third-party hosts to display
Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts Provides moderate security.
  • Blocks script hosts that are not explicitly whitelisted
  • Allows non-script resources, such as images, from approved third-party hosts to display
Allow Inline Scripts and Script Access to Any Third-party Host Default setting for communities created before Spring ’19. Unavailable for communities created in Spring ’19 and later.
Provides no added security but enables your community to work as currently designed.
  • Blocks nothing
  • Allows access to all third-party hosts without the need for whitelisting

In Spring ’20 (February 2020), this option is being removed.

Note

Strict CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. Consider updating your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in Settings | Advanced in Community Builder.

What Do I Need to Do and When?

Lighting communities created before the Spring ’19 (February 2019) release use the Allow Inline Scripts and Script Access to Any Third-party Host setting by default. In Spring ’20 (February 2020), that option is being removed for those communities. We strongly recommend updating your script security level and testing your community before that option expires.

For new communities created after the Spring ’19 release, Strict CSP is the default CSP setting, so no action is required.

We recommend using Chrome to develop your site because we added extra error guidance when viewing your site. After you set the CSP security level for your community, test it in other browsers to make sure that your customers have a good experience.

Note