Use the New Content Security Policy to Better Protect Your Community
Where: This feature is available in Lightning communities accessed through Lightning Experience and Salesforce Classic, and is available in Essentials, Enterprise, Performance, Unlimited, and Developer editions.
How: With Winter ‘19, we’ll automatically set existing communities to the least restrictive CSP setting to ensure they continue to work. New communities will automatically be set to Strict CSP. You can choose a different level if needed.
|Script Security Level||Description|
|Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts||Recommended. Ensures that no inline scripts can run in your site. Only non-script resources, such as images, from approved third-party hosts are allowed to display when added to the CSP Trusted Sites list in Salesforce org settings.|
|Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts||Hosts whitelisted with Add Trusted Site can execute inline scripts in your community. Non-script resources, such as images, must be whitelisted separately through CSP Trusted Sites in your Salesforce org settings.|
|Allow Inline Scripts and Script Access to Any Third-party Host||(Default) The least secure setting, but ensures that your community works as designed until you can review and update your site.|