Available in: Salesforce Classic and Lightning Experience |
Available in: Developer, Enterprise, Performance, and Unlimited |
User Permissions Needed | |
---|---|
To create, read, update, and delete: | Customize Application or Modify All Data |
CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-Security-Policy HTTP header recommended by the W3C. By default, the framework’s headers allow content to be loaded only from secure (HTTPS) URLs and forbid XHR requests from JavaScript.
CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.
IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.