[SalesForce] New CSP violation spontainiously happening in lightning

I have some code in a visualforce page that used a custom js library to build an excel file client side from an object generated on the server side and then force the browser to download the file.

This was working fine in both lightning and classic until about 10 days ago when it stopped working in lightning. Now the server generates the object but the page fails to download the file once it has created it.

Our code that calls the 3rd party library is below

var workBookOut = XLSX.write(workBook,
        type: 'binary'
    new Blob([saveToArrayBuffer(workBookOut)],{type:"application/octet-stream"}), excelName + '.xlsx'

A CSP directive is now being violated, which appears to be the error. I assume this is something to do with the new strict enforcement Salesforce is adding. However I was under the impression that Salesforce was not enforcing stricter CSP in production orgs for another release. I look on the org and the critical update is not active yet.

Reading the documentation I saw about adding a CSP trusted site but this is not a connect-src error so it doesn't seem to apply. I did test it out.

The error we get in the chrome console is below.

<namespace>.ap5.visual.force.com/:1 Refused to frame '' because it violates the following Content Security Policy directive: "frame-src https: mailto: *.ap5.visual.force.com".

(index):1 Not allowed to load local resource: blob:https://<namespace>.ap5.visual.force.com/f035dc0e-ae07-47be-8e4a-c8443e93657b

Has Salesforce changed something else recently that might be causing this issue?

Any other pointers on what is going wrong here and what I can do to fix it?

Thanks All!

Best Answer

A few pointers:

  • Strict CSP is only enabled if you turn on the critical update.
  • You can turn Strict CSP off.

If that doesn't solve it, ping us back: you should not get that behavior. Salesforce typically only makes such changes with lots of warnings and a clear date of enablement, usually with a new release. Here is the current information, subject to change as I will explain below:


At Trailhead DX, Salesforce hinted that the critical update will be converted into a preference because many third party libraries are not ready for it. This change is scheduled for Winter '19 (subject to change).