FAQ-000810 - External JavaScript Library Approval / Customer Configuration and Settings

No, it's not acceptable to allow customers to override JavaScript sources through custom settings in managed packages. JavaScript code must be stored in static resources, and linking or storing JavaScript code from third-party servers within the Salesforce domain isn't permitted. This restriction ensures security and maintains control over the code that runs within the Salesforce environment.

The original answer was well-structured and accurate but contained unnecessarily formal language that could be made more conversational and direct. Changed 'is not permitted' to 'isn't permitted' to use contractions as specified in the brand guidelines. The content aligns with security best practices and doesn't contain any outdated information. For security rules selected: - LoadJavaScriptHtmlScript: This rule directly relates to the FAQ's discussion about JavaScript sources and external JavaScript loading through HTML script tags, which is exactly what the FAQ warns against when it mentions 'linking JavaScript code from third-party servers'. - LoadJavaScriptIncludeScript: This rule covers JavaScript inclusion through Visualforce includeScript, which is another method that could be misused if customers were allowed to override JavaScript sources as mentioned in the FAQ. - AvoidCreateElementScriptLinkTag: This rule prevents dynamic creation of script and link elements, which directly relates to the FAQ's concern about maintaining 'control over the code that runs within the Salesforce environment' by preventing customer overrides of JavaScript sources.