To enhance the flexibility and security of your Higher Logic Vanilla (Vanilla) community when incorporating third-party content, Vanilla provides an option to conditionally include the "strict-dynamic" directive in your community's Content Security Policy (CSP).
- This allows you to effortlessly manage scripts and their dependencies, especially in scenarios where enumerating all potential domains is not viable. The "strict-dynamic" directive will allow scripts approved by the policy to dynamically load other scripts, creating a more secure and manageable chain of trust.
⚠️ IMPORTANT: Keep in mind that enabling this feature will modify your CSP to trust additional scripts injected as dependencies by your custom scripts. This is not necessary on most sites, except those that use features like AdSense and Google Tag Manager.
Implications to consider
While this feature will offer more flexibility in incorporating third-party content, this results in increased responsibility on your part to ensure and protect the continued security of your community.
Before activating this feature, carefully consider the following potential implications:
- Increased security risks: This feature may introduce vulnerabilities like Cross-Site Scripting (XSS) if initial scripts are compromised.
- Browser compatibility: Possible compatibility problems with older browsers, which may affect the user experience. Click here to check browser compatibility.
⚠️ IMPORTANT: If you have any questions or concerns about these potential implications, we recommend speaking with your organization's InfoSec team or Vanilla's Support Team before moving forward.
Enable third-party script execution
- Access the Dashboard.
- Navigate to Settings > Technical > Security.
- Click to toggle ON the Allow Third-Party Script Execution option.
- In the dialog, click OK.