Newer Version Available

This content describes an older version of this product. View Latest

Critical Update for Stricter CSP Restrictions in Communities

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The “Enable Stricter Content Security Policy for Lightning Components in Communities” critical update tightens CSP to mitigate the risk of cross-site scripting attacks.

Stricter CSP tightens CSP to mitigate the risk of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and the third-party libraries that you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

In addition to affecting custom Lightning components, stricter CSP also affects the markup used in the <head> of your community’s pages, when enabled. Inline scripts aren’t permitted, and a warning appears when you enter unsupported markup tags in Settings | Advanced in Community Builder.

Stricter CSP was originally part of the LockerService critical update, which was automatically activated for all orgs in Summer ’17. Stricter CSP was decoupled from LockerService in Summer ’17 to give you more time to update your code.

Note

Critical Update Timeline

The stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs. The two critical updates—one for Communities and one for other contexts—are called:
  • Enable Stricter Content Security Policy for Lightning Components in Communities
  • Enable Stricter Content Security Policy for Lightning Components

Stricter CSP will gradually be available in more orgs. To understand the nuances between the two different critical updates, let’s look at them together. Here’s the planned timeline, but the schedule might change for future releases.

Critical Update Summer ’17 Winter ’18 Spring ’18 (Feb 2018) Summer ’18 Winter ’19 (Oct 2018)
Sandbox and DE orgs Enable Stricter CSP for Lightning Components OFF by default unless LockerService was activated in Spring ’17 Activated for all orgs
Enable Stricter CSP for Lightning Components in Communities OFF by default
Production orgs Enable Stricter CSP for Lightning Components N/A ON by default
Enable Stricter CSP for Lightning Components in Communities N/A OFF by default
Summer ’17
The critical updates are available only in sandbox and Developer Edition orgs. Stricter CSP is not enforced in production orgs for this release.
Spring ’18 (future plans)
The critical updates will be extended to all orgs, including production orgs.
  • “Enable Stricter Content Security Policy for Lightning Components” will be enabled by default.
  • “Enable Stricter Content Security Policy for Lightning Components in Communities” will be disabled by default.
You can activate and deactivate both critical updates as often as needed for testing purposes.
Winter ’19 (future plans)
Both critical updates will be automatically activated for all orgs when the critical updates expire.

Activate “Enable Stricter Content Security Policy for Lightning Components in Communities”

In Communities, stricter CSP is disabled by default for sandboxes and Developer Edition orgs.

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Stricter Content Security Policy for Lightning Components in Communities”, click Activate.
  3. Refresh your browser page.

What Does This Critical Update Affect?

This critical update enables stricter CSP in sandboxes and Developer Edition orgs for Communities only.

The critical update doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.

To enable stricter CSP for Lightning Experience, the Salesforce app, and standalone apps, use the “Enable Stricter Content Security Policy for Lightning Components” critical update.

Tip