To prevent remote code execution attacks, the Script loading toggle improves portal security by adding strict-dynamic to the Content Security Policy (CSP) of the portal.
This means that Fluid Topics uses a cryptographic nonce to validate the execution of inline JavaScript.
- This toggle is active by default for tenants created after the release of this feature.
- Enabling this feature does not have any impact on Custom JavaScript code or Custom components.
- Disabling the toggle makes the portal vulnerable to attacks coming from remote code execution in content.
- If the toggle is active, browsers that do not support the
strict-dynamicContent Security Policy (CSP) are still safer. See Dealing with Unsupported Browsers.