Critical Updates: LockerService Changes, CRSF Protection for Visualforce Pages, and Masking Decoupled from Shield Platform Encryption

This release includes two new critical updates. One changes how Visualforce pages implement CRSF protection for GET requests. The other decouples the “View Encrypted Data” permission from Shield Platform Encryption. In addition, the LockerService, approvals, and flow critical updates from Summer ’16 have been postponed.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is automatically activated. For more details, see Respond to Critical Updates.

LockerService Has Stricter Content Security Policy
The existing LockerService critical update tightens Content Security Policy (CSP) to eliminate the possibility of cross-site scripting attacks. These CSP changes are enforced only in sandboxes and Developer Edition orgs. The CSP changes have no effect in production orgs, even when LockerService is activated. The Lightning Component framework uses Content Security Policy (CSP) to control the source of content that can be loaded on a page.
Allow CSRF Protection on GET Requests to Visualforce Pages
This critical update makes it possible to enable CSRF checks for GET requests on Visualforce pages, and might break links to existing Visualforce pages.
Turn Off Masking for Encrypted Data
This critical update decouples masking from the Shield Platform Encryption service. This means that the “View Encrypted Data” permission, and its resulting masking behavior, will no longer be available. Customers should review their field and object-level security settings before activating this critical update.
“Make Sure Records that Are Submitted Behind the Scenes Are Routed to the Right Approval Process” Critical Update Postponed
This critical update, released in Summer ’16, was scheduled for auto-activation in Winter ’17, but has been postponed to Spring ’18.
“Trust Percent Values in Flow sObject Variables Again” Critical Update Activates in Spring ’17
This critical update, released in Summer ’16, was scheduled for auto-activation in Winter ’17, but was postponed to Spring ’17.