The Lightning Component framework uses the Content Security Policy (CSP) to impose restrictions on content.
The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.
To use third-party APIs that make requests to an external (non-Salesforce) server or to use a WebSocket connection, add a CSP Trusted Site.
CSP is a W3C standard that defines rules to control the source of content
that can be loaded on a page. All CSP rules work at the page level and apply to
all components and libraries.
When you define a CSP Trusted Site, the site’s URL is added to the list of
allowed sites for the following directives in the CSP header.
- connect-src
- frame-src
- img-src
- style-src
- font-src
- media-src
This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.
Path
From Setup, enter CSP Trusted Sites in the Quick Find box, and then select CSP Trusted Sites.
1. Enter the site URL
2. Select the Context for this trusted site to control the scope of the approval.
All - (Default)CSP header is approved for both your organization’s Lightning Experience and Lightning Communities.
Communities - CSP header is approved only for your organization’s Lightning
Communities.
The framework enables these specific
CSP rules:
All external JavaScript libraries must
be uploaded to your org as static resources. The script-src 'self' directive
requires script source be called from the same origin.
The font-src, img-src, media-src,
frame-src, style-src, and connect-src directives are set to 'self'. As a
result, resources such as fonts, images, videos, frame content, CSS, and
scripts must be located in the org by default.
All references to external fonts, images,
frames, and CSS must use an HTTPS URL. This requirement applies whether the
resource is located in your org or accessed through a CSP Trusted Site.
Inline JavaScript disallowed
Script tags can’t be used to load
JavaScript, and event handlers can’t use inline JavaScript. The unsafe-inline
source for the script-src directive is disallowed. For example, this attempt to
use an event handler to run an inline script is prevented:
<button
onclick="doSomething()"></button>
Note:
CSP isn’t enforced by all browsers.
For a list of browsers that enforce CSP, see caniuse.com.
IE11 doesn’t support CSP, so we
recommend using other supported browsers for enhanced security.
Finding CSP
Violations
CSP policy violations are logged in
the browser’s developer console. The violations look like the following
message.
Refused to load the script
'https://externaljs.docsample.com/externalLib.js'
because it violates the following
Content Security Policy directive: ...
If your app’s
functionality isn’t affected, you can ignore the CSP violation.
Stricter CSP
Restrictions
The Lightning Component framework uses
Content Security Policy (CSP), which is a W3C standard, to control the source
of content that can be loaded on a page. The CSP rules work at the page level,
and apply to all components and libraries, whether Lightning Locker is enabled
or not.
The “Enable Stricter Content Security
Policy” org setting was added in the Winter ’19 release to further mitigate the
risk of cross-site scripting attacks. This setting was enabled by default.
No comments:
Post a Comment