Critical Updates: LockerService Changes, More Clickjack Protection for Visualforce Pages

The LockerService critical update from last release has been postponed. Also, this release includes a critical update that extends legacy browser-compatible clickjack protection for Visualforce pages that hide the page header.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is automatically activated. For more details, see Respond to Critical Updates.

PageReference getContent() and getContentAsPDF() Methods Now Behave as Callouts (Critical Update)
This critical update was introduced in Summer ’15 and was enforced for all orgs on October 18, 2016. With this critical update, the getContent() and getContentAsPDF() methods of the PageReference object behave as callouts, and the calls are tracked against the limits of the calling transaction.
Clickjack Protection for Legacy Browsers for Visualforce Pages Without Page Header (Critical Update)
This critical update extends legacy browser-compatible clickjack protection for Visualforce pages that set showHeader="false" when those pages are also configured to use API versions before 27.0.
LockerService Critical Update Postponed
LockerService is a powerful security architecture for Lightning components that was a critical update for Summer ’16. This critical update was scheduled for auto-activation in Winter ’17. The auto-activation date has been postponed until Summer ’17.
LockerService for Communities Critical Update Postponed
LockerService is a powerful new security architecture for Lightning components that was a critical update for Communities in Summer ’16. This critical update was scheduled for auto-activation in Winter ’17. The auto-activation date has been postponed until Spring ’17.
All Orgs Can Toggle the LockerService Critical Update
All orgs can now deactivate the critical update. Also, there is a new setting on the Lightning Components setup page to let you control whether LockerService is enforced for components installed from a managed package.
“Make Sure Records that Are Submitted Behind the Scenes Are Routed to the Right Approval Process” Critical Update Postponed
This critical update, released in Summer ’16, was scheduled for auto-activation in Winter ’17, but has been postponed to Spring ’18.
“Trust Percent Values in Flow sObject Variables Again” Critical Update Postponed
This critical update, released in Summer ’16, was scheduled for auto-activation in Winter ’17, but has been postponed to Spring ’17.