KB Building Embeds & custom code

Embeds & custom code stub

How we add third-party scripts and custom code without opening XSS or supply-chain holes.

Use this when

Adding an analytics tag, chat widget, embed, or any hand-written script to a site.

Definition of done

To define: third-party scripts vetted and CSP-compatible; custom code reviewed; no untrusted data in script contexts. See Security baseline.

Requirements

  1. Draft. SRI on external scripts, CSP nonce/hash compatibility, review gate for custom JS.

Why & sources

Builds on Security baseline · Web security for client sites.