Content Security Policy Overview
The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content. The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.
The framework enables these specific CSP rules:
- Resources must be located in your org by default
connect-srcdirectives are set to
'self'. As a result, resources such as fonts, images, videos, frame content, CSS, and scripts must be located in the org by default.
You can change the CSP directives to permit access to third-party resources by adding CSP Trusted Sites. For more information, see Create CSP Trusted Sites to Access Third-Party APIs.
You can’t change the protocol from HTTPS to HTTP for these resources, however.
- HTTPS connections for resources
All references to external fonts, images, frames, and CSS must use an HTTPS URL. This requirement applies whether the resource is located in your org or accessed through a CSP Trusted Site.
unsafe-inlinesource for the
script-srcdirective is disallowed. For example, this attempt to use an event handler to run an inline script is prevented:
Not all browsers enforce CSP. For a list of browsers that enforce CSP, see
IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security. Support for IE11 ends on December 31, 2022.
CSP policy violations are logged in the browser’s developer console. If your app’s functionality isn’t affected, you can ignore the CSP violation.
This message is a sample violation.