Today's blog post was written by Nathen Drees, Senior Developer at Sonoma Partners.
Recently, Salesforce sent emails to all administrators informing them of a change to the Content Security Policy that will affect Lightning Components. The intent was to give administrators and App Innovator partners time to review their components to ensure they meet all the best practices and do not run afoul of the newly enforced settings. Once the Summer '17 release is live, a critical update named “Lightning LockerService Security” will be force enabled, and any Lightning Components not meeting the new requirements may cease to function properly.
Not sure what Content Security Policies or the Lightning LockerService are? Need some help reviewing your components to ensure they’re compliant? Just want to talk to a human being? Contact us and we can help.
The body of the notice has been reposted below for your convenience:
As an admin for a Salesforce org using Lightning components, we want to notify you of an update to LockerService, that will impact your custom Lightning components with the Summer ’17 release.
What is LockerService?
LockerService enhances security by isolating individual Lightning components in their containers. LockerService also promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals. For more information, see the Lightning Components Developer Guide.
What is the update?
LockerService will be automatically activated for all orgs in the Summer ‘17 release. In the Spring '17 release, the existing LockerService critical update will enhance security by enforcing Content Security Policy (CSP) to eliminate the possibility of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src).
What action do I need to take?
If you’d like to apply LockerService to your sandbox or Developer Edition org before the Summer ‘17 release, activate the LockerService critical update. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org. To deactivate the critical update, from Setup, click Critical Updates, and click Deactivate on the critical update labeled "Enable Lightning LockerService Security."
What do we recommend?
We recommend that you test the CSP enhanced LockerService after the Spring ‘17 release in a sandbox or Developer Edition org to verify the correct behavior of your components before activating it in your production org. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org. LockerService will continue to be a critical update for Spring '17.
- Internet Explorer 11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.
- When LockerService is activated in sandbox or Developer Edition orgs, you can't edit rich-text fields, and the fields are grayed out. This limitation will be removed when LockerService is auto-enabled for all orgs during the Summer ’17 release.
Where can I find additional information?
For more information, see the LockerService Overview video and the Lightning Components Developer Guide. Also, review Supported Browsers for Lightning Experience and the Lightning Discussion Forums are also a great place to get help from Salesforce and developer community experts.
For additional questions, open a case with Support via the Help & Training portal.