Content Security Policy Overview

The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content. The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level, and apply to all components and libraries.

The framework enables these specific CSP rules:

JavaScript Libraries

All JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Using External JavaScript Libraries.

HTTPS Connections for Resources

All external fonts, images, frames, and CSS must use an HTTPS URL.

You can change the CSP policy and expand access to third-party resources by adding CSP Trusted Sites.

Inline JavaScript

Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. For more details, see Stricter CSP Restrictions.

Browser Support

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

Finding CSP Violations

CSP policy violations are logged in the browser’s developer console. The violations look like the following message.

1Refused to load the script 'https://externaljs.docsample.com/externalLib.js'
2because it violates the following Content Security Policy directive: ...

If your app’s functionality isn’t affected, you can ignore the CSP violation.

Lightning Aura Components Developer Guide

Content Security Policy Overview

Browser Support

Finding CSP Violations

See Also