Lightning Aura Components Developer Guide

What Is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Communicating Across the DOM with Lightning Message Service
Creating Apps
Styling Apps
Developing Secure Code
What is Lightning Locker?
Content Security Policy Overview
Stricter CSP Restrictions
Using JavaScript
Working with Salesforce Data
Testing Components with Lightning Testing Service
Debugging
Performance
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Stricter CSP Restrictions

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The CSP rules work at the page level, and apply to all components and libraries, whether Lightning Locker is enabled or not. The “Enable Stricter Content Security Policy” org setting was added in the Winter ’19 release to further mitigate the risk of cross-site scripting attacks. This setting was enabled by default.

The Enable Stricter Content Security Policy setting disallows the unsafe-inline source for the script-src directive. Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript.

To ensure better security, the Enable Stricter Content Security Policy setting is always enabled. If you disable it in Session Settings, it remains in effect to block inline JavaScript. We plan to remove the setting from Session Settings in a future release, as the restriction on unsafe-inline JavaScript is always enforced.

Note

You must ensure that all your code, including third-party libraries, respects all CSP restrictions.

What Does Stricter CSP Affect?

Stricter CSP affects:

  • Lightning Experience
  • Salesforce app
  • Standalone apps that you create (for example, myApp.app)

Stricter CSP doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Experience Builder sites, which have their own CSP settings
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Salesforce Tabs + Visualforce sites. The container defines the CSP rules.

CSP in Experience Builder sites is controlled separately through each site’s settings.

Note