API Access for <lightning:container> Apps Is Revoked (Critical Update)

API Access for <lightning:container> Apps Is Revoked was a critical update for Winter ’18 and will be enforced for all orgs on February 10, 2018. Lightning apps that use <lightning:container> will no longer have access to the REST APIs from inside the iframe. Apps can still access org data through Apex remoting calls.

This critical update removes access to Salesforce APIs from inside the <lightning:container> iframe because this access is a security risk. Managed applications have full API access and can modify records not intended to be used by those applications. For example, a to-do list application could view and modify data in unrelated objects, such as Opportunities.

Activate and Test This Critical Update

We recommend testing this critical update and activating it now. This update is automatically enforced in your org on the auto-activation date. Test your <lightning:container> components in a Developer Edition org to verify that your <lightning:container> components still work without API access. If you must work in your production org, do so during off-peak hours.

To activate this critical update:
  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For API Access for <lightning:container> Apps Is Revoked, click Activate.
  3. Test the <lightning:container> components that previously used API access.