Content Security Policy Protection Control

Control Name

Content Security Policy

Recommended Configuration

• Disable Override Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer
• Enable Stricter Content Security Policy

Setup>Session Settings>Content Security Policy>Enable Stricter Content Security Policy|Disable Override Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer.

Control Overview

"Disable Override Restriction on Accessing Email Templates" prevents users from bypassing security checks when viewing templates in Salesforce Classic using Internet Explorer, while "Enable Stricter Content Security Policy" enforces a rigorous framework that blocks unauthorized scripts and resources from executing within the platform. Together, they ensure that sensitive content is protected from execution-based attacks regardless of the user's browser or interface choice.

Security Risk If Not Configured

By leaving these protections disabled, you're essentially keeping a "backdoor" open for legacy Internet Explorer exploits that can bypass email template security and execute malicious code within a user's session. Additionally, without a stricter CSP, your org lacks the up to date security protection needed to block sophisticated Cross-Site Scripting (XSS) attacks, making it far easier for unauthorized scripts to hijack sessions or silently scrape sensitive record data.

Threat Scenarios

An attacker leverages a legacy browser’s vulnerabilities to bypass email template restrictions and execute a malicious payload within the Salesforce Classic interface. Without Stricter CSP to act as a gatekeeper, this script is free to "phone home" by exfiltrating session tokens or sensitive record data to an external domain, effectively turning a simple page view into a silent, automated data breach.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

The risk impact centers on a critical breach of data integrity and confidentiality, as attackers can leverage legacy browser exploits and cross-site scripts to hijack sessions or exfiltrate sensitive company information.

Higher Risk When

Beyond the settings mentioned, the risk is significantly compounded by disabling Lightning Web Security (LWS) or Lightning Locker, as this removes the critical namespace isolation that prevents a single compromised component from accessing data across your entire UI. Additionally, misconfigurations such as allowing "unsafe-inline" scripts in your CSP Trusted URLs or failing to implement IP session locking and clickjack protection create an environment where session-hijacking and "man-in-the-browser" attacks can bypass standard authentication. Furthermore, overly permissive Guest User profiles or broad "View All Data" permissions can turn a minor script injection into a full-scale automated data breach.

Low or No Risk When

Transitioning all users to the Lightning Experience and modern browsers acts as a primary deterrent by effectively deprecating the legacy Salesforce Classic and Internet Explorer attack vectors. Additionally, enforcing Multi-Factor Authentication (MFA) and Trusted or LOgin IP Range Restrictions ensures that even if a session is compromised via a cross-site script, it cannot be easily weaponized from an unauthorized device or location.

Business and Integration Considerations

Implementing these controls requires a comprehensive audit of legacy browser usage and third-party dependencies, as stricter CSP and template restrictions can disrupt custom Lightning components, external integrations, and legacy workflows.

Recommended Remediation

Update the Session Settings to enable Stricter Content Security Policy.

Security Health Review Guidance

Security Health Review inspects the session settings including stricter CSP to align with security standards on how resources are loaded on lightning pages.