Trusted mode

Acquia Lift enables trusted mode for content. When you display imported content in your website, this content may be trusted or untrusted. If you control all the imported content and you are sure that its styles and any JavaScript are safe for your website, then you can enable trusted mode. When content is trusted, your website will render that content inline, as if it were native to the local website.

Untrusted content is run in a separate JavaScript sandbox. This helps protect your website from unsafe code in imported content by preventing any JavaScript in the content from interacting with your website's, and vice versa. This content will be imported using the style of the original publishing website.

Enabling trusted mode

Trusted mode can be enabled across your full website in the Acquia Lift configuration settings.

  1. Sign in to your website as an administrator.
  2. Click Configure > Acquia Lift Settings.
  3. Near the bottom of the page, open the Advanced configuration fieldset.
  4. Under Content replacement mode, select Trusted to enable or Untrusted (default) to disable trusted content.
  5. Click Save configuration.

Overriding slot modes

One or more slots can have a different setting than the website default. If you have a given slot that will always hold untrusted content on an otherwise trusted website, or vice versa, you can override the slot to have a non-default setting.

Within the Embed code that you add to your page, add the following line to set a particular slot to always be trusted:

<div data-lift-slot="my-trusted-slot" data-lift-mode="trusted" />

If you have a slot that should always be protected, replace trusted with untrusted.

Styling untrusted content

Trusted content automatically uses the style of your website by applying appropriate CSS and targeting. When you are using imported content that is not trusted, it does not use that CSS and its styling may not fit with the style of your website. You can apply an attribute to the slot, which applies a stylesheet:

<div data-lift-slot="my-slot-id" data-lift-css="http://mysite.com/custom_slot.css"></div>

Styles and scripts in trusted mode

When rendering content in trusted mode, it is important to understand when styles should or should not be imported with the content as rendered by the view mode. In some cases, rendering the content in an untrusted iframe will require additional styling and scripting that not should be included in directly injected trusted content (or should be the responsibility of the Acquia Lift website displaying the content).

In trusted content mode, Acquia Lift renders markup only in <body> tags, which removes all styles and scripts included in the <head> tags. Additionally, Acquia Lift removes any HTML element in the <body> tags that includes data-content-barrier-exclude="true" in its attributes. This attribute is applied by Content Hub rendering templates for all footer JavaScript code. Content injected in untrusted mode will be injected as-is, with all markup included.

The intention with trusted mode is that the website receiving the injected content should control the styling and scripting of content, whether injected or rendered natively on the page. There are situations when the content for replacement is architected in a more component-based approach, and styles or scripts should be packaged with the content for use in either trusted on untrusted mode. In these cases, any styles and scripts necessary should be rendered in the <body> of the rendered view mode content in Content Hub.

Example

For example, in untrusted mode, this markup is rendered:

<!DOCTYPE html>
<html lang="en">
<head>
    <style>
    .my-custom-style { color: #000000; }
    </style>
    <link rel="stylesheet" href="http://mysite.com/stylesheet.css" />
    <script type="text/javascript" src="http://mysite.com/myexternaljs.js"></script>
    <script>
    var foo = 'bar';
    </script>
</head>
<body>
    <style>
    .perfect { color: #39ff14; }
    </style>
    <script>
    var perfect = 'check out that style';
    </script>
    <p class="perfect">My perfect content
        <span data-content-barrier-exclude="true">Don't show this in trusted mode</span>
    </p>
    <div data-content-barrier-exclude="true">
    <script type="text/javascript" src="http://mysite.com/myfooterjs.js"></script>
    </div>
</body>
</html>

However, if the content is trusted, only this section will be rendered:

    <style>
    .perfect { color: #39ff14; }
    </style>
    <script>
    var perfect = 'check out that style';
    </script>
    <p class="perfect">My perfect content
    </p>

Contact supportStill need assistance? Contact Acquia Support