[SalesForce] Place external JS in head of community

We would like to use/build community using communities lightning. The problem we encounter is that there is no possibility to add any javascript from external resource/CDN.

The issue is that this is the only way you use 99% of marketing tools. The problem we encounter is related to Blueconic – automated profiling tool.

I know there is an option to store JS in static resources and load this way – but still this cannot be done in the head section. Am I correct? For me actually means show stopper and one client for SF less.

I have seen Load CSS and JS from CDN in Lightning component. Mentioned topic is not solved and what is important in my situation external resources must be loaded in the HEAD section of the page – NOT in component – so it's different place in the platform.

Best Answer

As of Summer '17 with locker service and with "Enable Stricter CSP for Lightning Components" Enabled it will no longer be supported. the documentation lists supported tags and attributes as well as an IMPORTANT note.

Important: With the "Enable Stricter CSP for Lightning Components in Communities" critical update, you have control over whether to enforce stricter CSP. When stricter CSP is activated, some of your existing head markup may not work correctly. Test your markup in your sandbox or DE orgs first before activating in live orgs in a future release.

For security purposes, we restrict the tags, attributes, and values allowed in the head markup of your pages

<base>

Allowed Attributes:

href, target

<link>

Allowed Attributes:

as, charset, crossorigin, disabled, href, hreflang, id, import, integrity, media, rel, relList, rev, sheet, sizes, target, title, type

**For rel, allowed values are alternate:

apple-touch-icon, apple-touch-icon- precomposed, apple-touch-startup-image, author, bookmark, external, help, icon, license, manifest, mask-icon, next, nofollow, noopener, noreferrer, pingback, prefetch, preload, prev, search, shortcut icon, stylesheet, and tag.

<meta>

Allowed Attributes:

charset, content, http-equiv,2 name, scheme

**For http-equiv, allowed values are cleartype, content-type, content-language, and default-style.

<title>

None allowed

If you do add scripts you will get the following message:

enter image description here

You will have to monitor and check for critical updates and decide which ones to enable/disable.