Content Security Policies and Personalization JavaScript Beacon Directives
The Personalization JavaScript beacon currently uses the unsafe-eval directive, which allows the use of dynamic code evaluation functions such as eval(). As part of our ongoing efforts to enhance security standards, we're working on removing the dependency on unsafe-eval in the JavaScript beacon.
In the meantime, if your organization's security scanner flags the presence of the unsafe-eval directive in the JavaScript beacon, include the unsafe-inline directive in your Content Security Policy as a workaround.
Add the unsafe-inline directive to your Content Security Policy, especially if:
- your site has a pre-existing Content Security Policy
- you're using web templates and have the Handlebars Gear enabled
- you haven't already included the
unsafe-inlinedirective in your Content Security Policy.
- If you're already using
unsafe-evalelsewhere, you don't have to immediately stop using it. However, you must include theunsafe-inlinedirective in your Content Security Policy. If your Content Security Policy does not currently haveunsafe-evalbut includesunsafe-inline, you should not encounter any issues. - The changes we're making to the JavaScript beacon are designed with backward compatibility in mind. This approach ensures that you have ample time for conducting security reviews and obtaining necessary approvals before making adjustments to your Content Security Policy.
- Salesforce Developers: Managing CORS with the Salesforce Interactions SDK Launcher
- Salesforce Developers: Web Template Handlebars
- External Link: MDN Web Docs:
Content-Security-Policy