The Lightning
Component framework already uses
Content Security Policy (CSP), which is a W3C standard, to control the source of content that
can be loaded on a page. The “Enable Stricter Content Security Policy for Lightning Components”
critical update tightens CSP to mitigate the risk of cross-site scripting attacks. Stricter CSP
is only enforced in sandboxes and
Developer Edition orgs.
The stricter CSP disallows the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and
third-party libraries you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might
have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.
Critical Update Timeline
Stricter CSP will gradually be available in more orgs. This is the planned timeline but the
schedule might change for future releases.
- Summer ’17
- The critical update is only available in sandboxes and Developer
Edition orgs.
- Winter ’18 (future plans)
- The critical update will be extended to all orgs, including production orgs.
- Winter ’19 (future plans)
- The critical update will be automatically activated for all orgs when the critical
update expires.
Activate the Critical Update
Stricter CSP is enabled by default for sandboxes and Developer Edition orgs that have
previously enabled the “Enable Lightning LockerService Security” critical update. For all
other sandboxes and Developer Edition orgs, stricter CSP is disabled by default.
To enable stricter CSP:
- From Setup, enter Critical Updates in the Quick
Find box, and then select Critical Updates.
- For “Enable Stricter Content Security Policy for Lightning Components”, click
Activate.
- Refresh your browser page to proceed with stricter CSP enabled.
What Does This Critical Update Affect?
The “Enable Stricter Content Security Policy for Lightning Components” critical update
enables stricter CSP in sandboxes and Developer Edition orgs for:
- Lightning Experience
- Salesforce1
- Standalone apps that you create (for example, myApp.app)
The critical update doesn’t affect:
- Salesforce Classic
- Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
- Lightning Out, which allows you to run Lightning components in a container outside of
Lightning apps, such as Lightning components in Visualforce and Visualforce-based
Communities. The container defines the CSP rules.