Content Security Policy (CSP) Directive Rendering Control

Control Name

CSP Directive Rendering

Recommended Configuration

• Apply CSP directives for less common browsers
• Adopt updated CSP directives

Setup>Trusted URL>New Trusted URL>Content Security Policy (CSP) Settings>CSP Directives|Select the directives that Lightning components, third-party APIs, and WebSocket connections can load from this trusted URL.

Control Overview

Enabling CSP (Content Security Policy) Directive Rendering allows your Salesforce org to adopt the latest, most restrictive security standards for how resources are loaded on Lightning pages.

By activating this control, the platform enforces strict browser-level rules that prevent cross-site scripting (XSS) and code injection by blocking any external scripts, images, or iframes that have not been explicitly authorized in your Trusted URLs allowlist.

Security Risk If Not Configured

Without CSP Directive Rendering, your organization lacks a robust, browser-level defense against Cross-Site Scripting (XSS) and unauthorized data exfiltration.

This omission allows malicious actors to execute unverified scripts or load harmful external resources within your Lightning pages, potentially leading to the theft of session cookies, credential harvesting, or the silent manipulation of sensitive record data.

Threat Scenarios

In a typical threat scenario, an attacker exploits the absence of strict CSP enforcement by injecting a malicious script into a vulnerable field or URL parameter to execute a Stored or Reflected Cross-Site Scripting (XSS) attack.

Without these updated directives, the browser can permit the script to execute inline or "phone home" to an untrusted external domain, allowing the attacker to silently exfiltrate sensitive record data or capture user input in real-time while operating under the victim's active session.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

The risk impact encompasses a critical failure in browser-level data protection, potentially allowing attackers to execute unauthorized code that can steal user credentials, manipulate sensitive records, and cause widespread data exfiltration.

Higher Risk When

The risk increased with failing to enable Lightning Web Security (LWS) or Lightning Locker significantly heightens the risk, as it removes the essential namespace isolation that prevents a single compromised component from accessing data across your entire UI.

Furthermore, combining weak Profile and Permission Set hygiene—such as granting unnecessary "View All Data" rights or allowing unauthenticated Guest User API access—creates a "perfect storm" where an attacker can use a basic XSS vulnerability to rapidly escalate privileges and exfiltrate the organization's entire database.

Low or No Risk When

To minimize the risks associated with disabled CSP Directive Rendering, you can rely on Lightning Web Security (LWS) or Lightning Locker, which provide a robust architectural sandbox that isolates component namespaces and prevents malicious scripts from accessing data in other parts of the UI.

Additionally, utilizing Salesforce Shield Event Monitoring allows you to detect and block anomalous data exfiltration attempts in real-time, effectively providing a defense-in-depth layer that catches threats even if browser-level content restrictions are not fully enforced.

Business and Integration Considerations

Implementing CSP Directive Rendering requires a meticulous audit of all third-party scripts, images, and iframes to make sure they are added to the Trusted URLs list, as failing to add these external dependencies to the allowlist will break critical business integrations and UI components.

Recommended Remediation

Enable CSP Directives that aligns with security standards in the organization.

Security Health Review Guidance

Security Health Review inspects the Trusted URLs CSP settings including CSP Directives to align with security standards on how resources are loaded on lightning pages.