Critical Updates: New Security Architecture Introduced for Lightning Components

This release includes a critical update that affects users who access Lightning Experience or Salesforce1 from IE11. Additionally, if you use Lightning components, Visualforce, flows, or approvals, it includes critical updates that probably affect your customizations.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your organization and modify affected customizations. After the opt-in period has passed, the update is automatically activated. For more details, see Critical Updates.

Enhance Security with LockerService
LockerService is a powerful new security architecture for Lightning components that is a critical update for this release. LockerService enhances security by isolating individual Lightning components in their own containers. LockerService also promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals.
Enhance Security with LockerService for Communities
This critical update enables LockerService security for Lightning components in Communities only. It’s separate from the general LockerService critical update, which activates the LockerService security enforcements throughout your Salesforce org, but not in Communities.
Enforce Access Check Errors
This critical update enforces access check violations for Lightning resources. Previously, the access violations only generated warnings. Improved access check enforcement enables component authors to have greater control over how their components are used.
Disable Access to Lightning Experience and the Salesforce1 Mobile Browser App from IE11
This critical update disables access to Lightning Experience and the Salesforce1 mobile browser app when using Microsoft Internet Explorer version 11.
Disable Custom DocTypes in Visualforce Markup
This critical update changes the rules for Visualforce markup to no longer allow the use of custom docTypes.
“PageReference getContent() and getContentAsPDF() Methods Behave as Callouts” Critical Update Postponed
In Summer ’15, we changed the behavior of the getContent() and getContentAsPDF() methods of the PageReference object. This change was released as a critical update named “PageReference getContent() and getContentAsPDF() Methods Behave as Callouts” and was scheduled for auto-activation in Summer ’16. The auto-activation date has been postponed until Winter ’17.
Trust Percent Values in Flow sObject Variables Again
Have you added special calculations to your flow to get the right output for a percent field? This critical update lets you remove those workarounds.
Make Sure Records That Are Submitted Behind the Scenes Are Routed to the Right Approval Process
When records are submitted for approval, Salesforce automatically makes sure that the record meets the entry criteria for the approval process. This critical update does the same for the submitting user when records are submitted behind the scenes by making sure that user is an allowed submitter.