To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.
Pre-Existing Critical Updates
This critical update was announced in a previous release and is still available.
- Critical Updates for Stricter CSP Restrictions
- Stricter Content Security Policy (CSP) restrictions have been decoupled from LockerService and aren't enforced in production orgs in Winter ’18. Instead, to give you more time to update your code to work with stricter CSP, the stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs.
Enforced Critical Updates
- Allow CSRF Protection on GET Requests to Visualforce Pages To Be Enforced (Critical Update)
- Allow CSRF Protection on GET Requests to Visualforce Pages was a critical update in Spring ’17 and will be enforced for all orgs on October 15, 2017. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.
Postponed Critical Updates
- “Make Sure Records that Are Submitted Behind the Scenes Are Routed to the Right Approval Process” Critical Update Postponed
- This critical update, released in Summer ’16, was scheduled for auto-activation in Spring ‘18, but has been postponed to Winter ‘19.