Critical Updates

This release includes a new critical update for email security. And we’re retiring the critical update that enforces stricter content security policy for Lightning components.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

New Critical Updates

These critical updates are new in Winter ’19.

Open Hyperlinks in Formula Fields Correctly
This critical update addresses an issue opening hyperlinks in formula fields. If you have formula fields that contain a HYPERLINK function, Lightning Experience currently ignores the target value when attempting to open the link. This critical update ensures that the target value for hyperlinks is honored, whether it's explicitly configured or set by default. This critical update is automatically enabled in Summer ’19 on May 17, 2019.
Improve Security for Sites and Communities by Restricting Record Access for Guest Users
To address potential security vulnerabilities, we applied a critical update to Salesforce sites and communities on October 5, 2018. This update removed default record access for guest users so that they can no longer create, read, update, or delete Salesforce records. You can give guest users access to your Salesforce records by editing your object permissions.
Improve Email Security with Redesigned DKIM Keys
To address potential security vulnerabilities with DomainKeys Identified Mail (DKIM) keys, we improved the way they’re created. You no longer have to mess around with public and private keys. Instead, Salesforce publishes the TXT record containing your public key to DNS. We also added automatic key rotation to reduce the risk of your keys becoming compromised by a third party. And, because sharing keys can introduce security vulnerabilities, we removed the ability to import DKIM keys.

Retired Critical Updates

The “Enable Stricter Content Security Policy for Lightning Components” critical update has been replaced by an org setting. For more information, see Stricter Content Security Policy (CSP) Changed from a Critical Update to an Org Setting.