Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            External Redirection Restrictions in Salesforce

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            External Redirection Restrictions in Salesforce

            Learn what qualifies as a redirection in Salesforce, when those redirections are blocked, and your options for allowing and restricting redirections.

            Required Editions

            Available in: all editions
            Note
            Note For qualifying redirections, Salesforce verifies the initial redirection outside Salesforce against the Trusted URLs for Redirects allowlist. However, Salesforce can’t verify subsequent redirections. For example, if a link on a Visualforce page includes a redirection to https://www.example.com, Salesforce verifies that you allowed redirections to https://www.example.com. If that URL then redirects the user to https://spam.example.com, Salesforce can’t check that redirection, because it occurs outside of Salesforce.

            Trusted URLs for Redirects

            Whenever Salesforce verifies whether the target URL for a redirection is allowed, Salesforce uses the Trusted URLs for Redirects allowlist.

            Salesforce uses that allowlist to verify redirections within pages and components. And for users who access Salesforce with Salesforce Classic, you can choose to verify hyperlinks in Salesforce against that allowlist.

            Redirections Within Components and Pages

            Within pages and components, a valid direct anchor link to an external URL is always allowed. An example of a direct anchor link is <a href="targetUrl">linkText</a>.

            For direct anchor links, if the target URL fails a syntax check, the user receives an error but the redirection isn’t captured in the Trusted URL and Browser Policy Violations list in Setup. Examples of malformed URLs that fail a syntax check are https://malformed^url.example.com and https://mydomain.lightning.force.com/$test61'3.

            Within pages and components, Salesforce verifies the target URL for these types of redirections against the Trusted URLs for Redirects allowlist.

            • Anchor links that include a redirection. For example, <a href="/?startURL=targetUrl">linkText</a> includes a redirection via the startURL parameter.
            • A parameter that redirects the user. For example, this form action redirects the user through the saveURL parameter: <form action="/xyz?saveURL=targetURL">.

            For these redirections, if the target URL isn’t on the allowlist, the redirection is blocked and the user receives an error. This verification applies to users who access Salesforce in both Salesforce Classic and Lightning Experience. When Salesforce blocks a redirection in these cases, the blocked redirection is captured in the Trusted URL and Browser Policy Violations list in Setup. If the redirection is blocked because the target URL failed a syntax check, the malformed URL is captured in the violations list.

            Note
            Note To help preserve performance, if a high volume of redirections that originate from your org are blocked over a short period of time, some of those blocked redirections can fail to be captured on the Trusted URL and Browser Policy Violations list.

            Restricting Redirections from Hyperlinks in Salesforce

            You can specify the behavior when a user clicks a hyperlink with a target URL that isn’t on the Trusted URLs for Redirects allowlist. The availability of this feature differs based on the field type that contains the hyperlink.

            • For the URL field type, you can restrict redirections from hyperlinks for users who access Salesforce via Lightning Experience or Salesforce Classic. The website field on the Accounts page is a URL field.
            • For the Long Text Area field type, you can restrict redirections from hyperlinks only for users who access Salesforce via Salesforce Classic. The description field on the Accounts page is an example of a Long Text Area field.

            Salesforce recommends that you warn users during those redirections. For users who access Salesforce via Salesforce Classic, the warning message includes an option for the user to trust the URL in the future.

            You can also choose to block these redirections. Only blocked redirections that originate in Salesforce Classic are captured in the Trusted URL and Browser Policy Violations list in Setup.

            See Secure External Redirections from Hyperlinks in Salesforce.

            Note
            Note Secure redirections to untrusted URLs in Lightning Experience is a pilot or beta service that is subject to the Beta Services Terms at Agreements - Salesforce.com or a written Unified Pilot Agreement if executed by Customer, and applicable terms in the Product Terms Directory. Use of this pilot or beta service is at the Customer's sole discretion.

            Redirections to Cross-Origin URLs Within Your Org

            There’s one last special case to cover. Salesforce serves multiple URLs for your Salesforce org, and not all those URLs share a domain. Normally, redirections to a different domain are allowed only when the target domain is on the Trusted URLs for Redirects allowlist. However, Salesforce allows these cross-origin redirections within the same org.

            For example, a Visualforce page that’s served on MyDomainName--c.vf.force.com can contain a link to a site page that’s served by the same org on MyDomainName.my.site.com. Also, when you change your My Domain name and redirections from your previous My Domain are enabled, cross-origin redirections from your previous My Domain URLs are allowed. For example, a redirection from oldMyDomainName.my.salesforce.com to newMyDomainName.lightning.force.com is allowed, because those URLs belong to the same org.

            Get Information About Blocked Redirections

            To manage the blocked redirections that Salesforce tracks, use the Trusted URL and Brower Policy Violations list in Setup. That violations list includes blocked redirections that occurred within the last seven days.

            To get more information about those blocked redirections, including the page where the redirection originated, use the Blocked Redirect event type. To track violations over time, schedule a daily query of that event type. See Blocked Redirect Event Type in Object Reference for the Salesforce Platform

            See Also

             
            Loading
            Salesforce Help | Article