FAQ-001109 - Lightning Web Components Manual DOM Security / Managed Package Restrictions

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the restrictions and scope limitations for dynamic DOM manipulation in managed packages?
Answer
Dynamic DOM manipulation in managed packages has strict restrictions and scope limitations: 1. **JavaScript Restrictions**: - JavaScript must be stored in static resources. - It cannot be loaded from third-party servers or linked from Salesforce domains. - JSONP is not allowed; use HTML5 CORS without wildcarding the domain. 2. **Dynamic Loading**: - Dynamically loading JavaScript or CSS directly into Salesforce domains is prohibited. - CSS can be dynamically loaded if an integrity check is implemented. 3. **Allowed Exceptions**: - Specific libraries like Google Maps and Stripe are permitted for dynamic loading. 4. **External Hosting**: - If dynamic content is necessary, it can be hosted externally and loaded into an iframe, as long as it is not associated with a Salesforce domain. These guidelines ensure compliance with AppExchange security review standards.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidCreateElementScriptLinkTagLoadJavaScriptHtmlScriptLoadJavaScriptIncludeScriptLoadCSSLinkHrefLoadCSSApexStylesheet
Question
What are the restrictions and scope limitations for dynamic DOM manipulation in managed packages?
Recommended Answer Update
Dynamic DOM manipulation in managed packages has strict restrictions and scope limitations: 1. **JavaScript Restrictions**: - JavaScript must be stored in static resources - It can't be loaded from third-party servers or linked from Salesforce domains - JSONP isn't allowed; use HTML5 CORS without wildcarding the domain 2. **Dynamic Loading**: - Dynamically loading JavaScript or CSS directly into Salesforce domains is prohibited - CSS can be dynamically loaded if an integrity check is implemented 3. **Allowed Exceptions**: - Specific libraries like Google Maps and Stripe are permitted for dynamic loading 4. **External Hosting**: - If dynamic content is necessary, it can be hosted externally and loaded into an iframe, as long as it's not associated with a Salesforce domain These guidelines ensure compliance with AppExchange security review standards.
Reasoning
The FAQ content is accurate and doesn't require significant changes. I made minor style improvements to follow the brand guidelines: converted 'cannot' to 'can't', 'is not allowed' to 'isn't allowed' for a more conversational tone per the writing style guidance. The content accurately reflects the security restrictions for dynamic DOM manipulation. Selected security rules reasoning: - AvoidCreateElementScriptLinkTag: Directly relates to the JavaScript restrictions mentioned in point 1, specifically detecting dynamic creation of script and link elements which is prohibited as stated in the FAQ - LoadJavaScriptHtmlScript: Relates to the dynamic loading restrictions in point 2, detecting JavaScript loading via HTML script tags from external sources - LoadJavaScriptIncludeScript: Also relates to point 2's dynamic loading restrictions, detecting JavaScript inclusion methods that violate the security guidelines - LoadCSSLinkHref: Connects to the CSS dynamic loading mentioned in point 2, detecting CSS loading via link href attributes - LoadCSSApexStylesheet: Relates to the CSS restrictions discussed in point 2, detecting improper CSS loading methods in Apex contexts
Reasoning References