Newer Version Available
Content Security Policy Restrictions in Communities
There are three levels of script security, providing enough flexibility to prevent affecting existing communities and code.
| Script Security Level | Description |
|---|---|
| Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts | Default setting for communities created in Spring ’19 (February 2019) and
later. Provides maximum security.
|
| Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts | Provides moderate security.
|
| Allow Inline Scripts and Script Access to Any Third-party Host | Default setting for communities created before Spring ’19. Unavailable for
communities created in Spring ’19 and later. Provides no added security but
enables your community to work as currently designed.
|
Strict CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. Consider updating your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.
In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in in Community Builder.
What Do I Need to Do and When?
Lighting communities created before the Spring ’19 (February 2019) release use the Allow Inline Scripts and Script Access to Any Third-party Host setting by default. In Spring ’20 (February 2020), that option is being removed for those communities. We strongly recommend updating your script security level and testing your community before that option expires.
For new communities created after the Spring ’19 release, Strict CSP is the default CSP setting, so no action is required.