The Salesforce Developers website will undergo maintenance on May 29, 2024 from 3:00 a.m. UTC to 10:00 a.m. UTC. The maintenance process may affect the availability of our documentation. Please plan accordingly.

Before Using CMS Connect

Review these pointers and prerequisites before you connect your CMS to Experience Builder.

CMS Connect requires an HTTP server that can serve HTML fragments, either static or rendered on demand. Fragments can include headers, footers, components, CSS, or JavaScript.

URLs in CSS and JavaScript must be absolute. Relative URLs in HTML are OK and are converted for you. CMS Connect appends host names and converts relative URLs to absolute URLs in these HTML tags and attributes.

  • <img> tag src attribute
  • <audio> tag src attribute
  • <input> tag
  • <button> tag
  • <video> tag src and poster attributes
  • <a> and <area> tags href attribute
  • <form> tag action attribute
  • <del>, <ins>, <blockquote>, and <q> tags cite attribute

CMS Connect uses Cross-Origin Resource Sharing (CORS) to access external content. Make sure to add Site Host to the list of trusted hosts in the CORS header in your CMS system.

CORS is a web standard for accessing web resources on different domains. CORS is a required technology to connect your CMS to Salesforce. It’s a technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume a REST API served from a different origin. CORS allows JavaScript to pass data to the servers at Salesforce using CMS Connect.

To enable CORS in development environments, we recommend using a Chrome plugin. For production environments, review your CMS documentation on enabling CORS.

For more information about CORS, see

The domains that you allowlist are unique to your org and differ depending on whether enhanced domains are enabled. However, the domains do follow a general set of patterns.

This table shows Experience Builder hostname formats in orgs with enhanced domains.

DomainHostname Pattern
Builder Preview (Production){MyDomainName}
Builder Live Preview (Production){MyDomainName}
Builder Preview (Sandbox){MyDomainName}--{SandboxName}
Builder Live Preview (Sandbox){MyDomainName}--{SandboxName}

This table shows Experience Builder hostname formats in orgs without enhanced domains.

DomainURL Pattern
Builder Preview (Production){MyDomainName}--sitepreview.{InstanceName}
Builder Live Preview (Production){MyDomainName}--livepreview.{InstanceName}
Builder Preview (Sandbox){MyDomainName}--{SandboxName}--sitepreview.{InstanceName}
Builder Live Preview (Sandbox){MyDomainName}--{SandboxName}--livepreview.{InstanceName}

Content Security Policy (CSP) requires external hosts to be allowlisted appropriately. Script resources, such as JavaScript, must be allowlisted in the Security settings of Builder. Non-script resources, such as images and CSS, must be allowlisted in CSP Trusted Sites in your Salesforce org settings. CMS Connect attempts to allowlist hosts that it’s aware of for you, but it doesn’t capture links in imported content, for example.

CMS Connect (JSON) connections that use authenticated sources work only for authenticated users in your site.

CMS Connect filters out the same HTML tags that Lightning Locker and Aura components do. Get familiar with them now to avoid surprises later.

This list includes tags and attributes that are known to be blocklisted. Some blocklisted tags and attributes may not be listed. Attributes are blocklisted regardless of their value.

  • <applet>
  • <base>
  • <basefont>
  • <command>
  • <embed>
  • <frame>
  • <frameset>
  • <iframe>
  • <keygen>
  • <link>
  • <meta>
  • <noframes>
  • <noscript>
  • <object>
  • <param>
  • <script>
  • <title>
  • accept-charset
  • accesskey
  • allow
  • async
  • autocapitalize
  • autofocus
  • autoplay
  • buffered
  • challenge
  • charset
  • code
  • codebase
  • content
  • contenteditable
  • contextmenu
  • controls
  • data
  • decoding
  • defer
  • dirname
  • draggable
  • dropzone
  • form
  • formaction
  • http-equiv
  • icon
  • importance
  • itemprop
  • keytype
  • kind
  • language
  • lazyload
  • manifest
  • minlength
  • muted
  • ping
  • sandbox
  • scoped
  • slot
  • spellcheck
  • srcdoc
  • srclang
  • start
  • target
  • translate
  • wrap

Only these MIME types are supported.

  • CONTENT_TYPES_HTML: 'text/html'
  • CONTENT_TYPES_JS: 'application/javascript'
  • CONTENT_TYPES_JSON: 'application/json'

All CMS servers that you connect must be accessible via unauthenticated HTTPS (HTTP over SSL) to retrieve HTML and JavaScript. When you set up a CMS connection, the server URL that you enter must start with HTTPS to ensure that all required web communications remain private. An SSL certificate is required for unauthenticated HTTPS for all traffic between your servers and Salesforce.

All JavaScript and CSS files referenced by your HTML must point to your CMS source.

To use CMS Connect, you must have Experience Workspaces enabled. From Setup, go to Digital Experiences | Settings. Make sure that the Enable Experience Workspaces checkbox is selected.

CMS Connect is controlled by an org permission that’s turned on by default. If you’re not seeing CMS Connect in your Experience Workspaces, it’s possible that the permission is turned off. You can ask Salesforce Customer Support to turn it back on for you.