ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Prevent Common Violations of Secure Coding Guidelines
Loading JavaScript Files from Third-Party Endpoints
Loading Third-Party CSS in Lightning Components
Using CSS Outside Components
Running JavaScript in the Salesforce Domain
Exposing Secret Data When Debugging
Storing Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Using Sample Code in Production
Bypassing Object-Level and Field-Level Access Settings
Bypassing Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Loading Third-Party CSS in Lightning Components

Include cascading style sheets (CSS) and other resources in static resources rather than loading from a third party.

This requirement is enforced for the same reasons outlined in Loading JavaScript Files from Third-Party Endpoints. The entire solution must be under version control, and the org administrator and Salesforce security review team must be aware of the change.

Using the <link> tag to load an external CSS resource violates this security policy.

At a high level, the solution is:
  1. Save third-party CSS files in static resources.
  2. Add the resources to your solution package.
  3. Reference the CSS using a <ltng:require> tag in your .cmp or .app markup.

For more information, see Using External CSS in the Lightning Aura Components Developer Guide.

Aura Example

These code snippets depict the security violation and how to fix it in a Lightning component in Aura. This Aura component code isn’t secure because it uses the <link> tag to load an external CSS resource.
1<aura:component>
2     <link rel="stylesheet" href="https://example.com/styles.css" type="text/css">
3<aura:component>
This Aura component code uses <ltng:require>, which is a more secure way to reference an external CSS resource that you uploaded as a static resource.
1<aura:component>
2    <ltng:require styles="{!$Resource.SLDSv1 + '/assets/styles/lightning-design-system-ltng.css'}" />
3</aura:component>