Use the New Content Security Policy to Better Protect Your Community

New settings give you the option to apply different levels of Content Security Policy (CSP) to your community, including strict CSP. Strict CSP standards protect you and your customers by allowing content only from explicitly whitelisted external hosts to display in your communities and by blocking all inline scripts.

Where: This feature is available in Lightning communities accessed through Lightning Experience and Salesforce Classic, and is available in Essentials, Enterprise, Performance, Unlimited, and Developer editions.

Why: Unfettered access by third-party hosts into a site isn’t the most secure way to do business. Salesforce has always had ways to whitelist external hosts though CSP Trusted Sites. However, up to now we’ve been a bit more relaxed in Communities because they were mostly self-contained. With the addition of features like Content Management, greater control is needed. While we recommend strict CSP, you can choose a less secure option that allows you to continue to run inline scripts with or without whitelisting.
Note

Note

With the addition of this feature, we removed “Enable Stricter CSP for Lightning Components in Communities” option in your Critical Update Console.

How: With Winter ‘19, we’ll automatically set existing communities to the least restrictive CSP setting to ensure they continue to work. New communities will automatically be set to Strict CSP. You can choose a different level if needed.

Security Setting screen with CSP options showing

Table 1. Content Security Policy Options
Script Security Level Description
Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts Recommended. Ensures that no inline scripts can run in your site. Only non-script resources, such as images, from approved third-party hosts are allowed to display when added to the CSP Trusted Sites list in Salesforce org settings.
Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts Hosts whitelisted with Add Trusted Site can execute inline scripts in your community. Non-script resources, such as images, must be whitelisted separately through CSP Trusted Sites in your Salesforce org settings.
Allow Inline Scripts and Script Access to Any Third-party Host (Default) The least secure setting, but ensures that your community works as designed until you can review and update your site.
Note

Note

This CSP option will be retired in the Winter ‘20 release. Start planning for that transition now to avoid issues later.