Custom HTML for Banners

Question

Hello friends,Appreciate your thoughts on this, mainly from a security perspective. We were exploring custom HTML Banners in Braze. In this case, the SDK would render both the content payload and the HTML to the website DOM and the browser would execute the code.&nbsp;We were conscious that anyone could accidently insert malicious content into the HTML, resulting in PII sharing, stolen cookie tokens etc. Currently we can set allowUserSuppliedJavascript&nbsp; to 'true' to accept custom JSHas anyone implemented guardrails within your teams/ processes to manage such risks whilst leveraging the custom HTML for Banners? Would be great to hear your thoughts.RegardsRaj

davido · Answer

Hi Rajorigin​&nbsp;Although not perfect (nothing is) you can add to your &lt;head&gt; tag for example:&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self' https://js.appboycdn.com https://*.braze.com https://*.braze.eu 'unsafe-inline';"&gt;to restrict scripts to trusted domains you are using. 'unsafe-inline' allows Braze to still inject srcript into the DOM which it usually needs in these scenarios but you can test it without that tag if you want to go safer again.

Google Tag Manager

Forum Discussion

Custom HTML for Banners

1 Reply

Related Content

HTML Preference Center

Action Path based on custom attribute

Nested custom attributes in Custom HTML messages

Latency when refreshing Banner

Figma to Braze HTML templates

Recent Discussions

Custom HTML for Banners

First_did_event

Challenges with Fetching Spam-Blocked Users from Braze

Query Builder, Fetch records from USERS_CANVAS_ENTRY_SHARED view using Canvas Name

Loyalty programme recommendations