Critical Updates

This release includes new critical updates for @AuraEnabled Apex controllers, communities and portals, flows, and the URLs used for Visualforce, Community Builder, Studio, and content files. And we’re enforcing the critical update that revokes API access from <lightning:container>.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

New Critical Updates

These critical updates are new in Spring ’18.

Enable the New URL Format for Lightning Experience and the Salesforce Mobile App (Critical Update)
We’re changing the URL format used by Lightning Experience standard apps and the Salesforce mobile app. The new URL format is more readable and addresses the issue of being directed to an unexpected location when accessing Lightning Experience URLs before authenticating. This update doesn’t apply to Lightning Experience console apps and communities.
Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update)
This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to without sharing. This change relaxes the security for controllers that don’t explicitly set sharing behavior using these keywords. It’s a best practice to always use with sharing in Apex controllers used with Lightning components.
Execute All Autolaunched Flow Interviews When Invoked in Bulk (Critical Update)
When flow interviews are invoked in bulk, they are now all executed. Previously, when multiple flow interviews were invoked in bulk, only the first interview was started and executed; the remaining interviews were discarded.
Remove Instance Names from URLs for Visualforce, Community Builder, Studio, and Content Files (Critical Update)
We’re stabilizing the hostname of Visualforce, Community Builder, Studio, and content file URLs by removing instance names from URLs. This critical update applies to orgs that have a deployed My Domain. It will be activated automatically on March 16, 2019.
Enable the Lightning Console UI Theme (Critical Update)
This critical update enables Lightning Console’s exclusive UI Theme Theme4u, and will be activated automatically on October 5, 2018. Currently, $User.UITheme or $User.UIThemeDisplayed returns Theme4d for Visualforce pages in standard Lightning Experience apps and Lightning Console apps. Once the critical update is activated, Lightning Console apps return Theme4u, allowing Visualforce pages to differentiate between standard Lightning Experience apps and Lightning Console apps.

Enforced Critical Updates

API Access for <lightning:container> Apps Is Revoked (Critical Update)
API Access for <lightning:container> Apps Is Revoked was a critical update for Winter ’18 and will be enforced for all orgs on February 10, 2018. Lightning apps that use <lightning:container> will no longer have access to the REST APIs from inside the iframe. Apps can still access org data through Apex remoting calls.