The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content.
The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.To use third-party APIs that make requests to an external (non-Salesforce) server or to use a WebSocket connection, add a CSP Trusted Site.
CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level and apply to all components and libraries.
When you define a CSP Trusted Site, the site’s URL is added to the list of allowed sites for the following directives in the CSP header.
connect-src
frame-src
img-src
style-src
font-src
media-src
This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.
Note:
- LEX - CSP header is approved only for your organization’s Lightning Experience.
- Communities - CSP header is approved only for your organization’s Lightning Communities.
- You can’t load JavaScript resources from a third-party site, even if it’s a CSP Trusted Site. To use a JavaScript library from a third-party site, add it to a static resource, and then add the static resource to your component. After the library is loaded from the static resource, you can use it as normal.
No comments:
Post a Comment