Trusted Embeds With Stronger Content Security
Allowlist trusted third-party embeds inside rich text while a hardened Content Security Policy keeps untrusted scripts off published sites.
Editors can now drop trusted third-party content, such as media players, maps, and other interactive widgets, directly into rich text, without losing control over what runs on a published site. Only sources you allow are permitted, every embed is sanitised, and a hardened Content Security Policy blocks untrusted scripts from reaching your visitors.
Embed trusted content, safely
When you add an embed inside rich text, it is checked against an allowlist of trusted sources before it can render. Anything outside that list is rejected, and the markup that does get through is sanitised, so a single editor cannot accidentally introduce an unsafe script. This keeps the convenience of embedding live content while removing the usual risk that comes with pasting third-party code into a page.
Hardened security on published pages
A stronger Content Security Policy now backs every published site, instructing the browser to ignore scripts that are not explicitly trusted. The allowlist and the policy work together, so approved embeds keep working while everything else is blocked at the browser level.
Consistent across every page
Trusted embeds render the same way no matter how a page is built or served. An embed that works in one place behaves identically everywhere your content appears, so you do not have to re-check each page after adding it.