Lightning Components Developer’s Guide
j
No Results
Search Tips:
- Please consider misspellings
- Try different search keywords
Newer Version Available
Content Security Policy Overview
CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-Security-Policy HTTP header recommended by the W3C.
The framework's CSP covers these resources:
- JavaScript Libraries
- All JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Accessing JavaScript Libraries in Markup.
- HTTPS Connections for Resources
- All external fonts, images, frames, and CSS must use an HTTPS URL.
Browser Support
CSP is not enforced for all browsers. For a list of browsers that enforce CSP, see caniuse.com.
Finding CSP Violations
Any policy violations are logged in the browser's developer console. The violations look like this:
1Refused to load the script 'https://externaljs.docsample.com/externalLib.js'
2because it violates the following Content Security Policy directive: ...If your app's functionality is not affected, you can ignore the CSP violation.
Requesting CSP Exceptions
If your app is not working due to a CSP violation, contact Salesforce to request a CSP exception for your org. Include the violation message from your browser's developer console in any communication.
Accessing JavaScript Libraries in Markup
To reference a JavaScript library that you’ve uploaded as a static resource, use a <script> tag in your .app resource:
1<script src="/resource/resourceName" type="text/javascript"></script>resourceName is the Name of the static resource. Note that the framework doesn’t currently support the $Resource global variable available in Visualforce.
For more information on static resources, see “What is a Static Resource?” in the Salesforce online help.