Content Security Policy Overview

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page.

CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-​Security-​Policy HTTP header recommended by the W3C.

The framework’s CSP covers these resources:

JavaScript Libraries
All JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Using External JavaScript Libraries.
HTTPS Connections for Resources
All external fonts, images, frames, and CSS must use an HTTPS URL.

You can change the CSP policy and expand access to third-party resources by adding CSP Trusted Sites.

Browser Support

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

Note

Note

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Finding CSP Violations

Any policy violations are logged in the browser’s developer console. The violations look like the following message.

Refused to load the script 'https://externaljs.docsample.com/externalLib.js'
because it violates the following Content Security Policy directive: ...

If your app’s functionality isn’t affected, you can ignore the CSP violation.