Newer Version Available
Critical Update for Stricter CSP Restrictions in Communities
Stricter CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.
In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in in Community Builder.
Critical Update Timeline
- Enable Stricter Content Security Policy for Lightning Components in Communities
- Enable Stricter Content Security Policy for Lightning Components
Stricter CSP will gradually be available in more orgs. To understand the nuances between the two different critical updates, let’s look at them together. Here’s the planned timeline, but the schedule might change for future releases.
| Critical Update | Summer ’17 | Winter ’18 | Spring ’18 (Feb 2018) | Summer ’18 | Winter ’19 (Oct 2018) | |
|---|---|---|---|---|---|---|
| Sandbox and DE orgs | Enable Stricter CSP for Lightning Components | OFF by default unless LockerService was activated in Spring ’17 | Activated for all orgs | |||
| Enable Stricter CSP for Lightning Components in Communities | OFF by default | |||||
| Production orgs | Enable Stricter CSP for Lightning Components | N/A | ON by default | |||
| Enable Stricter CSP for Lightning Components in Communities | N/A | OFF by default | ||||
- Summer ’17
- The critical updates are available only in sandbox and Developer Edition orgs. Stricter CSP is not enforced in production orgs for this release.
- Spring ’18 (future plans)
- The critical updates will be extended to all orgs, including production orgs.
- “Enable Stricter Content Security Policy for Lightning Components” will be enabled by default.
- “Enable Stricter Content Security Policy for Lightning Components in Communities” will be disabled by default.
- You can activate and deactivate both critical updates as often as needed for testing purposes.
- Winter ’19 (future plans)
- Both critical updates will be automatically activated for all orgs when the critical updates expire.
Activate “Enable Stricter Content Security Policy for Lightning Components in Communities”
In Communities, stricter CSP is disabled by default for sandboxes and Developer Edition orgs.
- From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
- For “Enable Stricter Content Security Policy for Lightning Components in Communities”, click Activate.
- Refresh your browser page.
What Does This Critical Update Affect?
This critical update enables stricter CSP in sandboxes and Developer Edition orgs for Communities only.
The critical update doesn’t affect:
- Salesforce Classic
- Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
- Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.