FAQ-000820 - External JavaScript Library Approval / Visualforce-Specific Requirements

Here are the comprehensive security requirements and best practices for using JavaScript and third-party libraries in Visualforce pages: **Inline JavaScript Rules**: Using inline JavaScript in Visualforce pages is allowed under specific conditions: 1. The script must be hosted statically on your domain and not dynamically loaded from external domains 2. JavaScript-based API callouts to the server are permitted but must be thoroughly documented, including providing API details and credentials for testing during review 3. Ensure that sensitive data isn't logged or exposed insecurely **Third-Party Library Requirements**: When including custom JavaScript frameworks like Vue.js or other third-party libraries: 1. **Static Hosting**: JavaScript code must be hosted as a static resource within the Salesforce environment and referenced using `$Resource` URLs 2. **No Dynamic Loading**: Dynamically loading scripts from external domains isn't allowed 3. **API Documentation**: Any JavaScript-based API callouts must be thoroughly documented, including providing credentials for testing endpoints during security review 4. **Sandbox Compliance**: Ensure JavaScript code doesn't attempt to run outside its origin or break out of the sandbox, as this violates secure coding practices **Using Containers and Wrappers**: `lightning:container` or Visualforce pages can be used to wrap third-party scripts under certain conditions: **For Visualforce Pages**: - Third-party scripts must be hosted statically on your domain - Include them using `<apex:includeScript>` - Dynamically loading scripts from external domains isn't allowed **For lightning:container**: - No explicit security concerns are mentioned, but implementation must align with Salesforce documentation and security guidelines - Thorough documentation of the implementation is recommended for security review compliance **Security Implications and Restrictions**: Hosting JavaScript libraries in Visualforce pages to bypass Lightning component CORS restrictions isn't recommended due to: 1. **Static Resource Requirement**: JavaScript code must be stored in static resources, not hosted on third-party servers or linked externally 2. **Vulnerability Risks**: Bypassing CORS restrictions could expose the Salesforce domain to potential vulnerabilities like code injection or interference 3. **Secure Practices**: It's essential to follow secure coding practices and use approved methods for integrating external libraries **Best Practices**: - Always store JavaScript libraries in static resources for version control and security compliance - Use `$Resource` URLs for referencing libraries - Document all API callouts thoroughly - Follow Salesforce's secure coding guidelines - Ensure proper input sanitization and avoid exposure of sensitive data - Maintain sandbox compliance and avoid breaking out of designated origins - Category: External JavaScript Library Approval - Subcategory: Visualforce-Specific Requirements

The FAQ content is accurate and comprehensive but has minor tone improvements to make it more conversational and less formal, following the brand guidelines. I replaced formal contractions like 'is not' with 'isn't' and 'does not' with 'doesn't' to create a more conversational tone while preserving all technical content and structure. For security rule associations: - LoadJavaScriptIncludeScript: Directly relates to the FAQ's discussion of using `<apex:includeScript>` for third-party scripts in Visualforce pages - LoadJavaScriptHtmlScript: Relates to the FAQ's coverage of HTML script loading and static hosting requirements - AvoidCreateElementScriptLinkTag: Connected to the FAQ's emphasis on avoiding dynamic script loading from external domains - Library vulnerability rules (Critical/High/Medium/Low): All relate to the FAQ's discussion of third-party library security, version control, and the importance of using secure, up-to-date libraries in static resources