Lightning Components Developer Guide

What is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Creating Apps
Styling Apps
Developing Secure Code
What is Locker Service?
Content Security Policy Overview
Stricter CSP Restrictions
Freeze JavaScript Prototypes
Using JavaScript
Using Apex
Lightning Data Service
Testing Components with Lightning Testing Service
Debugging
Performance
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Stricter CSP Restrictions

The Lightning Component framework already uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The “Enable Stricter Content Security Policy” org setting tightens CSP to mitigate the risk of cross-site scripting attacks. The CSP rules work at the page level, and apply to all components, whether Locker Service is enabled or not.

Stricter CSP disallows unsafe-inline for script-src. This means that script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. For example, this is prevented:

When stricter CSP is enabled, you must ensure that all your code, including third-party libraries, respects the stricter CSP restrictions.

  • Prior to Summer ’18, stricter CSP also disabled unsafe-eval. This is no longer the case. Locker Service in Summer ‘18 supports secure versions of both eval() and Function() functions. For more information, see eval() Function is Limited by Locker Service.
  • Prior to Winter ’19, stricter CSP was controlled by the “Enable Stricter Content Security Policy for Lightning Components” critical update. We changed the critical update to an org setting to give you greater control over its enablement.

Note

What Does Stricter CSP Affect?

Stricter CSP affects:

  • Lightning Experience
  • Salesforce app
  • Standalone apps that you create (for example, myApp.app)

Stricter CSP doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Communities
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.

CSP in Communities is controlled separately through each community’s settings.

Note

Disable Stricter CSP

Stricter CSP is enabled by default. To disable it:

  1. From Setup, enter Session in the Quick Find box, and then select Session Settings.
  2. Deselect the checkbox for “Enable Stricter Content Security Policy”.
  3. Click Save.