Sunday, September 22, 2019

Content Security Policy(CSP) in Salesforce

Content Security Policy(CSP)
  • The Lightning Component framework uses the Content Security Policy (CSP) to impose restrictions on content. 
  • The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks. 
  • To use third-party APIs that make requests to an external (non-Salesforce) server or to use a WebSocket connection, add a CSP Trusted Site.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level and apply to all components and libraries.

When you define a CSP Trusted Site, the site’s URL is added to the list of allowed sites for the following directives in the CSP header.

This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.

From Setup, enter CSP Trusted Sites in the Quick Find box, and then select CSP Trusted Sites

1. Enter the site URL
2. Select the Context for this trusted site to control the scope of the approval.
All  -  (Default)CSP header is approved for both your organization’s Lightning Experience and Lightning Communities.
LEX CSP header is approved only for your organization’s Lightning Experience.
Communities CSP header is approved only for your organization’s Lightning Communities.

Content Security Policy

No comments:

Post a Comment