Hello friends,
Appreciate your thoughts on this, mainly from a security perspective. We were exploring custom HTML Banners in Braze. In this case, the SDK would render both the content payload and the HTML to the website DOM and the browser would execute the code.
We were conscious that anyone could accidently insert malicious content into the HTML, resulting in PII sharing, stolen cookie tokens etc. Currently we can set allowUserSuppliedJavascript to 'true' to accept custom JS
Has anyone implemented guardrails within your teams/ processes to manage such risks whilst leveraging the custom HTML for Banners? Would be great to hear your thoughts.
Regards
Raj
Hi Rajorigin
Although not perfect (nothing is) you can add to your <head> tag for example:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://js.appboycdn.com https://*.braze.com https://*.braze.eu 'unsafe-inline';">to restrict scripts to trusted domains you are using. 'unsafe-inline' allows Braze to still inject srcript into the DOM which it usually needs in these scenarios but you can test it without that tag if you want to go safer again.
thanks jerome_ahkan for your response as well, much appreciated, something for you guys to consider too for Banners, cheers
Thanks Rajorigin, we definitely will keep that in mind. I think we're looking at Braze banners as we speak so that <head> tag will definitely come in handy!
