To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.
New Critical Updates
These critical updates are brand new in Summer ’17.
- Stricter CSP Restrictions
- Stricter Content Security Policy (CSP) restrictions have been decoupled from LockerService and aren't enforced in production orgs in Summer ’17. Instead, to give you more time to update your code to work with stricter CSP, the stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs.
- Disable Access to Non-global Apex Controller Methods in Managed Package
- This critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Lightning components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
- Stop Automated Field Updates from Suppressing Email Notifications
- For various operations, such as assigning a task to someone, you can choose to notify the affected user by email. This update stops processes, workflow rules, and Apex triggers from suppressing these email notifications.
- POST Method for runTestsSynchronous Requires View Setup Permission
- View Setup user permission now required to run tests synchronously using the post method for /runTestsSynchronous/.
Pre-Existing Critical Updates
This critical update was announced in a previous release and is still available.
- Make Encrypted Data Visible to Authorized Users
- Encrypted data is visible onscreen—that is, it’s not hidden by masking characters—when you activate this critical update. To hide data from unauthorized users, you must use field-level and object-level security, regardless of whether the data is encrypted. The View Encrypted Data permission is not available.
Enforced Critical Updates
- LockerService, which has been a critical update since Summer ’16, is enforced for all orgs in Summer ’17. However, to reduce the impact on existing components, we adjusted the activation process.
- Add Clickjack Protection for Legacy Browsers to Visualforce Pages Without Page Header
- Clickjack protection for legacy browsers was a critical update in Winter ’17 and was enforced for all orgs on February 10, 2017. This critical update extends legacy browser-compatible clickjack protection for Visualforce pages that set showHeader="false" and are configured to use API versions 26.0 or earlier.
Postponed Critical Updates
- Allow CSRF Protection on GET Requests to Visualforce Pages
- This critical update, released in Spring ’17, was scheduled for auto-activation in Summer ’17, but has been postponed to October 15, 2017. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.
Canceled Critical Updates
- “Disable Access to Lightning Experience and the Salesforce1 Mobile Browser App from IE11” Critical Update Canceled
- The timetable for the end of support date for Internet Explorer version 11 (IE11) for Lightning Experience has changed significantly. As a result, this critical update has been canceled.