Custom HTML for Banners

Hello friends,

Appreciate your thoughts on this, mainly from a security perspective. We were exploring custom HTML Banners in Braze. In this case, the SDK would render both the content payload and the HTML to the website DOM and the browser would execute the code.

We were conscious that anyone could accidently insert malicious content into the HTML, resulting in PII sharing, stolen cookie tokens etc. Currently we can set allowUserSuppliedJavascript to 'true' to accept custom JS

Has anyone implemented guardrails within your teams/ processes to manage such risks whilst leveraging the custom HTML for Banners? Would be great to hear your thoughts.

Regards
Raj

Find more posts tagged with

SDKs and APIs

Data Transformation

Comments

DavidO

Hi @Rajorigin

Although not perfect (nothing is) you can add to your <head> tag for example:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://js.appboycdn.com https://*.braze.com https://*.braze.eu 'unsafe-inline';">

to restrict scripts to trusted domains you are using. 'unsafe-inline' allows Braze to still inject srcript into the DOM which it usually needs in these scenarios but you can test it without that tag if you want to go safer again.

Rajorigin

Thanks @DavidO , appreciate your response as always.
Braze confirmed that they should be pushing out an update in the next SDK release to allow the use of banner properties with allowUserSuppliedJavascript set to false, which is good news

Rajorigin

thanks @jerome_ahkan for your response as well, much appreciated, something for you guys to consider too for Banners, cheers

jerome_ahkan

Thanks @Rajorigin, we definitely will keep that in mind. I think we're looking at Braze banners as we speak so that <head> tag will definitely come in handy!