CSP and Lightning Locker in Experience Builder Sites

What Is CSP?

CSP is a list of rules that define the Content-Security-Policy HTTP header that’s sent to the browser when someone visits your site. Web browsers use these rules to block requests to unknown servers for different kinds of resources such as scripts, images, and other data. Strict CSP makes your site the most secure against these kinds of attacks by preventing requests to other servers, unless explicitly allowed.

CSP determines what is part of your site and what isn’t. One of the most important aspects of CSP is how it defines the boundaries of your site. Anything not loaded through your site's domain name, such as a logo hosted on a separate company site, is considered a third-party host. This approach to CSP follows the same-origin policy that browsers already enforce. You can access third-party hosted materials, but you must choose a security level for your site first. Then, allow the hosts as appropriate.

What Is Lightning Locker?

Lightning Locker is a Salesforce architectural layer that enhances the security of the third-party Lightning components in your site and custom code in your head markup. These third-party components and custom code can contain security vulnerabilities that enable the exfiltration of data and potentially malicious actions using that data.

Lightning Locker controls whether third-party components and custom code from different namespaces can share data or interfere with each other. If third-party components or custom code deals with sensitive data, communication between these resources is a special concern. For example, without Lightning Locker, a third-party component could include JavaScript that captures secure data that a customer enters in another component, and then send that data to their own servers. Lightning Locker ensures that third-party components and custom code that interacts with resources in other namespace can run safely even when together on the same page in the browser.

By default, Lightning Locker is turned on for your site. Depending on your security level, you can choose to turn off Lightning Locker for all third-party components and custom code.

Security Levels

You can choose from these security levels.

Security Level	Description
Strict CSP: Block Access to Inline Scripts and Permits Access to Allowed Hosts	Default setting for sites created in Spring ’19 (February 2019) and later. Provides maximum security. Blocks the execution of all inline scripts and all requests for remote JavaScript files unless explicitly allowed. Allows the display of non-script resources, such as images, from third-party hosts that are explicitly allowed. Lightning Locker is turned on automatically, but can be turned off.
Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts	Provides moderate security. Allows inline scripts to run in your site. Allows the loading of remote JavaScript files and the display of non-script resources, such as images, from third-party hosts that are explicitly allowed. Lightning Locker is turned on automatically, but can be turned off.
Allow Inline Scripts and Script Access to Any Third-party Host	Provides no added security, but enables your site to work as currently designed. Blocks nothing. Allows access to all third-party hosts without the need to explicitly allow those hosts. Lightning Locker is turned on and can’t be disabled. Note This option is only visible for sites created before Spring ’19. In Spring ’22 (February 2022), this option is being removed.