Prepare Your Community for Upcoming CSP Changes

In Spring ’21 (February 2021), the Allow Inline Scripts and Script Access to Any Third-party Host CSP setting is being removed. If your community was created before Spring ’19 and currently uses this setting, now is the time to prepare.

Where: This change applies to Lightning communities accessed through Lightning Experience and Salesforce Classic in Enterprise, Essentials, Performance, Unlimited, and Developer editions.

Why: The Allow Inline Scripts and Script Access to Any Third-party Host CSP option allows access to all third-party hosts and provides no added security. So to improve security for all communities, the setting is being removed in Spring ’21.

To prepare for that change and ensure that you have adequate time for testing, we recommend switching your community to a more secure option now. You can choose from the following security levels.

Security Level	Description
Strict CSP: Block Inline Scripts and Script Access to All Third-party Hosts	Provides maximum security. Blocks the execution of all inline scripts and all requests for remote JavaScript files. Allows the display of non-script resources, such as images, from third-party hosts that are explicitly allowed. Lightning Locker is turned on.
Allow Inline Scripts and Script Access to Whitelisted Third-party Hosts	Provides moderate security. Allows inline scripts to run in your site. Allows the loading of remote JavaScript files and the display of non-script resources, such as images, from third-party hosts that are explicitly allowed. Allows you to turn off Lightning Locker.

Prepare Your Community for Upcoming CSP Changes

See Also