Lightning Aura Components Developer Guide
jNewer Version Available
Stricter CSP Restrictions
The Lightning Component framework already uses
Content Security Policy (CSP), which is a W3C standard, to control the source of content that
can be loaded on a page. The “Enable Stricter Content Security Policy” org setting tightens CSP
to further mitigate the risk of cross-site scripting attacks. The CSP rules work at the page
level, and apply to all components and libraries, whether Lightning Locker is enabled or
not.
Stricter CSP disallows unsafe-inline for script-src. Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. For example, this attempt to use an event handler to run an inline script is prevented:
1<button onclick="doSomething()"></button>When stricter CSP is enabled, you must ensure that all your code, including third-party libraries, respects the stricter CSP restrictions.
What Does Stricter CSP Affect?
Stricter CSP affects:
- Lightning Experience
- Salesforce app
- Standalone apps that you create (for example, myApp.app)
Stricter CSP doesn’t affect:
- Salesforce Classic
- Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
- Communities
- Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based Communities. The container defines the CSP rules.
Disable Stricter CSP
Stricter CSP is enabled by default. To disable it:
- From Setup, enter Session in the Quick Find box, and then select Session Settings.
- Deselect the checkbox for “Enable Stricter Content Security Policy”.
- Click Save.