Lightning Communities Developer Guide

Get Up to Speed with Lightning Communities
Develop Lightning Communities: The Basics
Customize the Look and Feel of a Lightning Template
Example: Build a Condensed Theme Layout Component
Develop Secure Code: Lightning Locker and CSP
Lightning Locker in Communities
Content Security Policy in Lightning Communities
Analyze and Improve Community Performance
Use a CMS with Your Community
Report on Deflections: The Deflection Signals Framework
Deploy a Community from Sandbox to Production
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy in Lightning Communities

Lightning Communities enforce a Content Security Policy (CSP). CSP is a W3C standard for controlling the source of content that can be loaded on a page.

In Winter ’19, the “Enable Stricter Content Security Policy for Lightning Components in Communities” critical update was replaced with new CSP options in Settings | Security in Experience Builder.

Note

Experience Builder provides different levels of script security for Lightning communities. CSP levels are specific to each community. See “Select a Security Level in Lightning Communities” in Salesforce Help.

Security Level Description
Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts Default setting for communities created in Spring ’19 (February 2019) and later.
Provides maximum security.
  • Blocks the execution of all inline scripts and all requests for remote JavaScript files.
  • Allows the display of non-script resources, such as images, from third-party hosts that are explicitly allowed.
  • Lightning Locker is turned on.
Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts Provides moderate security.
  • Allows inline scripts to run in your site.
  • Allows the loading of remote JavaScript files and the display of non-script resources, such as images, from third-party hosts that are explicitly allowed.
  • Allows you to turn off Lightning Locker.
Allow Inline Scripts and Script Access to Any Third-party Host Provides no added security, but enables your community to work as currently designed.
  • Blocks nothing.
  • Allows access to all third-party hosts without the need to specifically identify those hosts.
  • Lightning Locker is turned on.

This option is only visible for communities created before Spring ’19. In Spring ’21 (February 2021), this option is being removed.

Note

Strict CSP mitigates the risk of cross-site scripting (XSS) and other content injection attacks by disallowing the unsafe-inline keyword for inline scripts. Consider updating your third-party libraries to modern versions that don’t depend on unsafe-inline. For more information see “eval() Function is Limited by Lightning Locker” in the Lightning Aura Components Developer Guide.

In addition to affecting custom Lightning components, strict CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in Settings | Advanced in Experience Builder.