To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.
New Critical Updates
These critical updates are new in Spring ’18.
- Enable the New URL Format for Lightning Experience and the Salesforce Mobile App (Critical Update)
- We’re changing the URL format used by Lightning Experience standard apps and the Salesforce mobile app. The new URL format is more readable and addresses the issue of being directed to an unexpected location when accessing Lightning Experience URLs before authenticating. This update doesn’t apply to console apps and communities.
- Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update)
- This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to without sharing. This change relaxes the security for controllers that don’t explicitly set sharing behavior using these keywords. It’s a best practice to always use with sharing in Apex controllers used with Lightning components.
- Execute All Autolaunched Flow Interviews When Invoked in Bulk (Critical Update)
- When flow interviews are invoked in bulk, they are now all executed. Previously, when multiple flow interviews were invoked in bulk, only the first interview was started and executed; the remaining interviews were discarded.
- Remove Instance Names from URLs for Visualforce, Community Builder, Site.com Studio, and Content Files (Critical Update)
- We’re stabilizing the hostname of Visualforce, Community Builder, Site.com Studio, and content file URLs by removing instance names from URLs. This critical update applies to orgs that have a deployed My Domain. It will be activated automatically on March 16, 2019.
Enforced Critical Updates
- API Access for <lightning:container> Apps Is Revoked (Critical Update)
- API Access for <lightning:container> Apps Is Revoked was a critical update for Winter ’18 and will be enforced for all orgs on February 10, 2018. Lightning apps that use <lightning:container> will no longer have access to the REST APIs from inside the iframe. Apps can still access org data through Apex remoting calls.