To help protect your org from cross-site scripting and other code-injection attacks,
Salesforce updated the delivered content security policy (CSP) directives for Lightning pages in
Summer ’24. If your production org was created before June 2024, enable a setting to adopt the
latest directives.
Required Editions
Available in: Lightning Experience
Available in: Enterprise, Performance, Unlimited, and
Developer Editions
User Permissions Needed
To modify session security settings:
Customize Application
Access the CSP Violation event type object:
View Event Log Files and API Enabled
OR
View All Data
To create, read, update, and delete trusted URLs:
Customize Application AND Modify All Data
Warning Before you enable this setting in production, we highly recommend that you
test this change in a sandbox.
The updated CSP directives can prevent externally hosted fonts and images from loading on your
Lightning pages. This change can also prevent external websites from loading within an iframe on
your Lightning pages.
Although this change can affect all customers, it can have the most significant impact in orgs
with a My Domain login URL that ends in .my-salesforce.com and in
Government Cloud—Defense orgs.
To review the resource requests that are blocked with this change, use the CSP Violation
event type object.
That event type captures all blocked and potentially blocked resources based on your CSP
settings. Resource requests impacted by this change have a DISPOSITION of
is report in that event log. See CSP Violation Event Type in Object Reference for
the Salesforce Platform.
Tip The CSP violation event is free for all customers with a 24-hour data
retention period. The event is available in the API but not in the Event Monitoring Analytics
app. To collect details for CSP violations over multiple days, schedule a daily query of the
Blocked Redirect event type via REST API.
Enable the new CSP directives.
In orgs created in Summer ’24 and later, this setting is enabled by default.
From Setup, in the Quick Find box, enter Session Settings, and
then select Session Settings.
Select Adopt updated CSP directives and save your changes.
This setting has no impact on the Trusted URLs for your org or the related CSP directives.
The change occurs within delivered Salesforce code.
To remediate issues on your Lightning pages, update your Trusted URLs. See Manage Trusted URLs.
To allow a blocked image, add or update a Trusted URL and enable the img-src (image) CSP
directive.
To allow a blocked front, add or update a Trusted URL and enable the font-src (fonts) CSP
directive.
To allow framing of an external website, add or update a Trusted URL and enable the
frame-src (iframe content) CSP directive.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
