Lightning Components Developer Guide

What is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Creating Apps
App Overview
Designing App UI
Creating App Templates
Developing Secure Code
Content Security Policy Overview
What is LockerService?
Writing Secure Code
Salesforce Lightning CLI
Styling Apps
Using JavaScript
JavaScript Cookbook
Using Apex
Lightning Data Service (Developer Preview)
Lightning Container (Developer Preview)
Controlling Access
Using Object-Oriented Development
Using the AppCache
Distributing Applications and Components
Debugging
Fixing Performance Warnings
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy Overview

The Lightning Component framework uses Content Security Policy (CSP) to control the source of content that can be loaded on a page.

CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-​Security-​Policy HTTP header recommended by the W3C.

The framework’s CSP covers these resources:

JavaScript Libraries
All JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Using External JavaScript Libraries.
HTTPS Connections for Resources
All external fonts, images, frames, and CSS must use an HTTPS URL.

You can change the CSP policy and expand access to third-party resources by adding CSP Trusted Sites.

Content Security Policy and LockerService

LockerService tightens CSP to eliminate the possibility of cross-site scripting attacks. These CSP changes are only enforced in sandboxes and Developer Edition orgs.

The stricter CSP disallows the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and third-party libraries you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Summer ’17 release. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

Browser Support

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

Finding CSP Violations

Any policy violations are logged in the browser’s developer console. The violations look like the following message.

1Refused to load the script 'https://externaljs.docsample.com/externalLib.js'
2because it violates the following Content Security Policy directive: ...

If your app’s functionality isn’t affected, you can ignore the CSP violation.