Lightning Components Developer’s Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy Overview

The framework uses Content Security Policy (CSP) to control the source of content that can be loaded on a page.

CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-​Security-​Policy HTTP header recommended by the W3C.

The framework's CSP covers these resources:

JavaScript Libraries
All JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Using External JavaScript Libraries.
HTTPS Connections for Resources
All external fonts, images, frames, and CSS must use an HTTPS URL.

Browser Support

CSP is not enforced for all browsers. For a list of browsers that enforce CSP, see caniuse.com.

Finding CSP Violations

Any policy violations are logged in the browser's developer console. The violations look like this:

1Refused to load the script 'https://externaljs.docsample.com/externalLib.js'
2because it violates the following Content Security Policy directive: ...

If your app's functionality is not affected, you can ignore the CSP violation.