diff --git a/docs/api-docs/storefront/scripts-overview.mdx b/docs/api-docs/storefront/scripts-overview.mdx index 3f119e6e7..69bb6f55c 100644 --- a/docs/api-docs/storefront/scripts-overview.mdx +++ b/docs/api-docs/storefront/scripts-overview.mdx @@ -108,15 +108,15 @@ Release notes can work for all storefronts. Changes to the [OAuth scopes](/docs/ ## PCI compliance -To comply with PCI standards, BigCommerce implements the [Subresource Integrity (SRI)]() feature for external scripts and [Content Security Policy (CSP)]() standards for inline scripts. +To ensure the integrity of your scripts, BigCommerce implements the [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) feature for _external_ scripts and [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) standards for _inline_ scripts. -You can [opt into these security features]() in the control panel in storefront settings. +You can [opt into these security features]() in the control panel in storefront settings. -The following sections describe what you need to provide after you opt-in to ensure the integrity of scripts. +After you opt in, your scripts must meet additional requirements to successfully execute in the browser. The following sections describe what you and BigCommerce need to provide to meet security requirements after you opt in. ### Subresource integrity -[Subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is a security feature browsers use to verify that attackers have not manipulated external hosted resources, including scripts. +[Subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is a security feature browsers use to verify that attackers have not manipulated _external_ hosted resources, including scripts. All scripts on the checkout page need at least one SRI hash to meet [PCI 4.0 - 6.4.3 requirements](https://pcipolicies.com/blogs/news/how-to-comply-with-the-new-pci-dss-requirement-6-4-3). @@ -137,15 +137,13 @@ You can add up to five SRI hashes and remove hashes when they are no longer vali ### Content security policy -[Content Security Policy (CSP)]() is a standard that uses [`nonce` global attributes]() to allowlist non-static inline scripts. +[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is a standard that can use [`nonce` global attributes](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce) to allowlist _non-static inline_ scripts. -Since inline scripts may contain dynamic handlebar template variables, BigCommerce uses `nonce` values instead of `integrity` hashes to validate inline scripts. Browsers first check for `integrity` hashes before checking `nonce` values. +Since the inline scripts you inject may contain dynamic handlebar template variables, BigCommerce uses `nonce` values instead of `integrity` hashes to validate inline scripts. Browsers first check for `integrity` hashes before checking `nonce` values. -The `nonce` attribute in the `script` tag has a uniquely generated value. -On every page load, BigCommerce generates a `nonce` value and passes it to browsers through the HTTP `Content-Security-Policy` response header. -For any scripts that the merchant adds through Script Manager or the Scripts API, BigCommerce automatically injects the `nonce` value for them on every page load. +If you add a script through Script Manager or the Scripts API, BigCommerce automatically generates and injects a unique `nonce` value for the script on every page load. We then pass it to browsers through the HTTP `Content-Security-Policy` response header. -If you are editing custom scripts in the Stencil theme files (i.e. outside of Script Manager or the Scripts API), you need to add a `nonce` handlebar. +If you have custom scripts in the Stencil theme files (i.e. outside of Script Manager or the Scripts API), you need to add a `nonce` handlebar to the script. ## Troubleshooting