Critical Update Activation: LockerService in Communities

LockerService, which has been a critical update since Summer ’16, is enforced for all orgs in Summer ’17. However, to reduce the impact on existing communities, we adjusted the activation process. If your community uses custom Lighting components or head markup, make sure that you read the related release notes to learn how these important changes affect your community.

LockerService Enforcement Is Dependent on the API Version

LockerService, a powerful security architecture for custom Lightning components, is enforced for all Lightning components created in Summer ’17 (API version 40.0) and later. LockerService isn’t enforced for components with API version 39.0 and lower, which covers any component created before Summer ’17.

See LockerService Critical Update Activation.

Stricter Content Security Policy (CSP) Restrictions Aren’t Enforced

The stricter CSP restrictions, which mitigate the risk of cross-site scripting attacks, have been decoupled from LockerService and aren’t enforced in production orgs in Summer ’17. Instead, the stricter CSP changes are available in two new critical updates—one for Communities and one for other contexts—which you can activate in sandbox or Developer Edition orgs. These critical updates give you more time to update your code to work with stricter CSP.

See Critical Updates for Stricter CSP Restrictions.