FAQ-000785 - External Content and Iframe Security / CORS and Cross-Domain Communication

Using JSONP for communication between Salesforce and external domains isn't permitted due to significant security risks. JSONP can expose Salesforce domains to vulnerabilities like cross-site scripting (XSS) attacks, as it allows external domains to execute scripts within the Salesforce context. Instead, use secure alternatives like HTML5 CORS with strict domain whitelisting, and avoid wildcarding domains.

The original answer is technically accurate and covers the key security concerns well. I made minor improvements to enhance clarity and flow: changed 'is not permitted' to the more conversational 'isn't permitted', simplified 'can expose Salesforce domains to vulnerabilities like' by removing redundant wording, and streamlined the final sentence by changing 'should be used' to the more direct 'use' and 'should be avoided' to 'avoid'. These changes make the content more accessible while preserving all the important security information. Regarding the selected security rules: ApexXSSFromEscapeFalse relates to this FAQ because JSONP vulnerabilities can lead to XSS attacks when content isn't properly escaped, which is the core concern this FAQ addresses about JSONP allowing external domains to execute scripts. ApexXSSFromURLParam is relevant because JSONP often involves URL parameters that can be exploited for XSS attacks, directly connecting to the FAQ's warning about cross-site scripting risks. AvoidUnescapedHtmlInAura applies because the FAQ discusses cross-domain communication security in Salesforce contexts, and unescaped HTML in Aura components can create similar XSS vulnerabilities that JSONP restrictions aim to prevent. VfUnescapeEl is related because Visualforce pages with unescaped expressions face similar XSS risks that the FAQ's JSONP restrictions are designed to mitigate.