FAQ-000802 - External Content and Iframe Security / Third-Party JavaScript and Static Resources

For the AppExchange Security Review, strict requirements apply to loading third-party JavaScript and front-end assets: **General Requirements:** - All front-end assets, such as JavaScript and CSS files, must be packaged as static resources - External JavaScript libraries must be saved in the static resources folder of your package and referenced using a `$Resource` URL - Dynamically loading JavaScript files from third-party endpoints, content delivery networks (CDNs), or external sources isn't permitted - This ensures that the code is version-controlled and that any changes are tracked through the package version ID **Specific Exceptions:** - Google Maps and Stripe libraries are allowed for dynamic loading - Captcha is permitted on experience sites and public pages - CSS can be dynamically loaded if an integrity check is implemented **No Exemptions Policy:** - Exemptions for loading third-party scripts, like Google Tag Manager, from external sources instead of static resources aren't allowed - Loading external JavaScript like Google Tag Manager directly without storing it as a static resource isn't permitted - No waivers are available for external JavaScript that "shouldn't be stored as static resources" **Security Implications:** - Using CDN links in Visualforce pages can introduce vulnerabilities, as externally managed code can change without the package version ID changing - This prevents administrators and the Salesforce security review team from being aware of changes - Salesforce can't ensure that third-party code remains secure when loaded dynamically **Alternative Approaches:** - Consider hosting dynamic content externally and embedding it via an iframe into a Visualforce page, as this approach isn't associated with the Salesforce domain - Use secure methods such as the `$Resource` URL for JavaScript or the `<ltng:require>` tag for CSS in Lightning components - Category: External Content and Iframe Security - Subcategory: Third-Party JavaScript and Static Resources

The content is technically accurate and comprehensive. I made minor conversational improvements by using contractions ("isn't" instead of "is not", "can't" instead of "cannot", "aren't" instead of "are not") to align with the brand guidelines for a more natural, conversational tone while maintaining the technical accuracy and completeness. For security rules selection: - LoadJavaScriptHtmlScript: This rule directly relates to the FAQ's core topic about loading JavaScript from external sources. The FAQ discusses requirements for JavaScript loading and this rule detects HTML script tag usage for external JavaScript loading. - LoadJavaScriptIncludeScript: This rule is relevant because the FAQ addresses including JavaScript files, and this rule specifically detects JavaScript inclusion methods that may violate security requirements. - LoadCSSLinkHref: The FAQ mentions CSS loading requirements and exceptions, and this rule detects CSS loading via link href attributes which is directly covered in the FAQ content. - LoadCSSApexStylesheet: The FAQ discusses CSS as part of front-end assets that must be packaged as static resources, and this rule relates to CSS loading in Apex/Visualforce contexts. - AvoidCreateElementScriptLinkTag: This rule is highly relevant as the FAQ discusses dynamic loading restrictions for JavaScript and CSS, and this rule specifically detects dynamic creation of script and link elements which the FAQ prohibits.