FAQ-000786 - External Content and Iframe Security / Dynamic Content and Document Systems

Approved methods for implementing dynamic content from external document systems include: 1. **Hosting Content Externally**: Host the dynamic content externally and embed it into a Visualforce page using an iframe. This ensures the content isn't associated with a Salesforce or Force.com domain. 2. **Static Resources for JavaScript**: Store JavaScript code in static resources rather than dynamically loading it from third-party servers. 3. **Use HTML5 CORS**: Implement HTML5 CORS with strict domain whitelisting, avoiding wildcard domains. 4. **Avoid JSONP**: JSONP isn't permitted due to security concerns.

The changes improve the FAQ's tone and readability by using more conversational language per the brand guidelines. Specifically: 1) Changed 'URL_Redacted domain' to 'Force.com domain' for clarity and accuracy, 2) Replaced 'is not permitted' and 'is not associated' with the more conversational contractions 'isn't permitted' and 'isn't associated', 3) Maintained all technical content and security guidance unchanged. These updates make the answer more approachable while preserving all security information. Regarding the selected security rules: - LoadJavaScriptIncludeScript: Directly relates to point #2 about storing JavaScript in static resources rather than loading dynamically from external servers - LoadJavaScriptHtmlScript: Also relates to point #2's guidance on JavaScript handling and external loading concerns - AvoidCreateElementScriptLinkTag: Connected to the dynamic content loading security concerns addressed throughout the FAQ - LoadCSSLinkHref: Relevant to the external content embedding approaches discussed in points #1 and #3 - LoadCSSApexStylesheet: Also relevant to the static resource and external content security patterns covered in the FAQ