Stricter CSP Restrictions

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The CSP rules work at the page level, and apply to all components and libraries, regardless of whether Lightning Locker or Lightning Web Security are enabled. The Enable Stricter Content Security Policy org setting further mitigates the risk of cross-site scripting attacks. This setting is enabled by default.

The Enable Stricter Content Security Policy setting disallows the unsafe-inline source for the script-src directive. When the setting is enabled, script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript.

You must ensure that all your code, including third-party libraries, respects all CSP restrictions.

Lightning Web Security (LWS) relies on Stricter CSP. Disabling the Enable Stricter Content Security Policy setting reduces the level of security that LWS provides. We strongly advise that you keep Enable Stricter Content Security Policy switched on when LWS is enabled.

Stricter CSP affects:

  • Lightning Experience
  • Salesforce app
  • Standalone apps that you create (for example, myApp.app)

Stricter CSP doesn’t affect:

  • Salesforce Classic
  • Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic
  • Experience Builder sites, which have their own CSP settings
  • Lightning Out, which allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Salesforce Tabs + Visualforce sites. The container defines the CSP rules.

CSP in Experience Builder sites is controlled separately through each site’s settings.