Critical Update for Stricter CSP Restrictions

The Lightning Component framework already uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The “Enable Stricter Content Security Policy for Lightning Components” critical update tightens CSP to mitigate the risk of cross-site scripting attacks. Stricter CSP is only enforced in sandboxes and Developer Edition orgs.

The stricter CSP disallows the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and third-party libraries you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

Note

Note

Stricter CSP was originally part of the LockerService critical update, which was automatically activated for all orgs in Summer ’17. Stricter CSP was decoupled from LockerService in Summer ’17 to give you more time to update your code.

Critical Update Timeline

Stricter CSP will gradually be available in more orgs. This is the planned timeline but the schedule might change for future releases.

Summer ’17
The critical update is only available in sandboxes and Developer Edition orgs.
Winter ’18 (future plans)
The critical update will be extended to all orgs, including production orgs.
Winter ’19 (future plans)
The critical update will be automatically activated for all orgs when the critical update expires.

Activate the Critical Update

Stricter CSP is enabled by default for sandboxes and Developer Edition orgs that have previously enabled the “Enable Lightning LockerService Security” critical update. For all other sandboxes and Developer Edition orgs, stricter CSP is disabled by default.

To enable stricter CSP:

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Stricter Content Security Policy for Lightning Components”, click Activate.
  3. Refresh your browser page to proceed with stricter CSP enabled.

What Does This Critical Update Affect?

The “Enable Stricter Content Security Policy for Lightning Components” critical update enables stricter CSP in sandboxes and Developer Edition orgs for:

  • Lightning Experience
  • Salesforce1
  • Standalone apps that you create (for example, myApp.app)
Note

Note

There is a separate “Enable Stricter Content Security Policy for Lightning Components in Communities” critical update to enable stricter CSP for Communities.

The critical update doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.