Content Security Policy Overview

The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content. The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level, and apply to all components and libraries. Web browsers follow CSP rules specified in web page headers to block requests to unknown servers for resources including scripts, images, and other data. CSP directives also apply to client-side JavaScript, for example by restricting inline JavaScript in HTML.

The framework enables these specific CSP rules:

JavaScript libraries can only be referenced from your org

All external JavaScript libraries must be uploaded to your org as static resources. The script-src 'self' directive requires script source to be called from the same origin. For developing Lightning web components, see Use Third-Party JavaScript Libraries. For developing Aura components, see Using External JavaScript Libraries.

Resources must be located in your org by default

The font-src, img-src, media-src, frame-src, style-src, and connect-src directives are set to 'self'. As a result, resources such as fonts, images, videos, frame content, CSS, and scripts must be located in the org by default.

You can change the CSP directives to permit access to third-party resources by adding trusted URLs (previously CSP Trusted Sites). For more information, see Manage Trusted URLs.

You can’t change the protocol from HTTPS to HTTP for these resources, however.

HTTPS connections for resources

All references to external fonts, images, frames, and CSS must use an HTTPS URL. This requirement applies whether the resource is located in your org or accessed through a trusted URL.

Inline JavaScript disallowed

Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. The unsafe-inline source for the script-src directive is disallowed. For example, this attempt to use an event handler to run an inline script is prevented:

Not all browsers enforce CSP. For a list of browsers that enforce CSP, see caniuse.com.

CSP policy violations are logged in the browser’s developer console. If your app’s functionality isn’t affected, you can ignore the CSP violation.

This message is a sample violation.