Lightning Aura Components Developer Guide

What Is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Communicating Across the DOM with Lightning Message Service
Creating Apps
Styling Apps
Developing Secure Code
What is Lightning Locker?
Content Security Policy Overview
Stricter CSP Restrictions
Using JavaScript
Working with Salesforce Data
Testing Components with Lightning Testing Service
Debugging
Performance
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Content Security Policy Overview

The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content. The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level, and apply to all components and libraries. Web browsers follow CSP rules specified in web page headers to block requests to unknown servers for resources including scripts, images, and other data. CSP directives also apply to client-side JavaScript, for example by restricting inline JavaScript in HTML.

The framework enables these specific CSP rules:

JavaScript libraries can only be referenced from your org
All external JavaScript libraries must be uploaded to your org as static resources. The script-src 'self' directive requires script source be called from the same origin. For more information, see Using External JavaScript Libraries.
Resources must be located in your org by default

The font-src, img-src, media-src, frame-src, style-src, and connect-src directives are set to 'self'. As a result, resources such as fonts, images, videos, frame content, CSS, and scripts must be located in the org by default.

You can change the CSP directives to permit access to third-party resources by adding CSP Trusted Sites. For more information, see Create CSP Trusted Sites to Access Third-Party APIs.

HTTPS connections for resources

All references to external fonts, images, frames, and CSS must use an HTTPS URL. This requirement applies whether the resource is located in your org or accessed through a CSP Trusted Site.

Blob URLs disallowed in iframes
The frame-src directive disallows the blob: schema. This restriction prevents an attacker from injecting arbitrary content into an iframe in a clickjacking attempt. Use a regular link to a blob URL and open the content in a new tab or window instead of using an iframe.
Inline JavaScript disallowed

Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. The unsafe-inline source for the script-src directive is disallowed. For example, this attempt to use an event handler to run an inline script is prevented:

Browser Support

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

Finding CSP Violations

CSP policy violations are logged in the browser’s developer console. The violations look like the following message.

If your app’s functionality isn’t affected, you can ignore the CSP violation.