Critical Updates for Stricter CSP Restrictions

Stricter Content Security Policy (CSP) restrictions have been decoupled from LockerService and aren't enforced in production orgs in Summer ’17. Instead, to give you more time to update your code to work with stricter CSP, the stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs.

The two critical updates—one for Communities and one for other contexts—are called:

  • Enable Stricter Content Security Policy for Lightning Components
  • Enable Stricter Content Security Policy for Lightning Components in Communities

The Lightning Component framework already uses CSP, which is a W3C standard, to control the source of content that can be loaded on a page. These critical updates tighten CSP to mitigate the risk of cross-site scripting attacks.

Stricter CSP might sound familiar to you. In the Spring ’17 LockerService critical update, we introduced stricter CSP to disallow the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). These CSP changes were enforced only in sandboxes and Developer Edition orgs.

Critical Update Timeline

Stricter CSP will gradually be available in more orgs. Here’s the planned timeline but the schedule might change for future releases.

Critical Update Summer ’17 Winter ’18 Spring ’18 (Feb 2018) Summer ’18 Winter ’19 (Oct 2018)
Sandbox and DE orgs Enable Stricter CSP for Lightning Components OFF by default unless LockerService was activated in Spring ’17 Activated for all orgs
Enable Stricter CSP for Lightning Components in Communities OFF by default
Production orgs Enable Stricter CSP for Lightning Components N/A ON by default
Enable Stricter CSP for Lightning Components in Communities N/A OFF by default
Summer ’17
The critical updates are available only in sandboxes and Developer Edition orgs. Stricter CSP is not enforced in production orgs for this release.
Spring ’18 (future plans)
The critical updates will be extended to all orgs, including production orgs.
  • “Enable Stricter Content Security Policy for Lightning Components” will be enabled by default
  • “Enable Stricter Content Security Policy for Lightning Components in Communities” will be disabled by default
You can activate and deactivate both critical updates as often as needed for testing purposes.
Winter ’19 (future plans)
Both critical updates will be automatically activated for all orgs when the critical updates expire.

Activate “Enable Stricter Content Security Policy for Lightning Components”

Stricter CSP is enabled by default for sandboxes and Developer Edition orgs that have previously enabled the “Enable Lightning LockerService Security” critical update. For all other sandboxes and Developer Edition orgs, stricter CSP is disabled by default.

To enable stricter CSP:

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Stricter Content Security Policy for Lightning Components”, click Activate.
  3. Refresh your browser page to proceed with stricter CSP enabled.

What Does This Critical Update Affect?

This critical update enables stricter CSP in sandboxes and Developer Edition orgs for:

  • Lightning Experience
  • Salesforce1
  • Standalone apps that you create (for example, myApp.app)

The critical update doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.

Activate “Enable Stricter Content Security Policy for Lightning Components in Communities”

Stricter CSP is disabled by default for sandboxes and Developer Edition orgs.

In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages when enabled. Inline scripts aren’t permitted and a warning appears when you enter unsupported markup tags in Settings | Advanced in Community Builder.

To enable stricter CSP for Communities:

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Stricter Content Security Policy for Lightning Components in Communities”, click Activate.
  3. Refresh your browser page to proceed with stricter CSP enabled.

What Does This Critical Update Affect?

This critical update enables stricter CSP in sandboxes and Developer Edition orgs for Communities only.

The critical update doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.