Cross-Origin Resource Sharing (CORS) allowlist is a list of external domains that you allow to call on your Salesforce resources. By setting these up in this list you are allowing these domains to access important information from your Salesforce.
From 1 February 2022, Salesforce will be implementing security change updates that will affect the access of these external domains. Currently the CORS allowlist in Setup isn’t enforced for Lightning apps on the server though it’s enforced on the browser. This update will enforce the allowlist on the server so that disallowed requests are blocked earlier and not processed on the server.
How to Prepare for the Changes
To avoid disruptions at the time of enforcement, perform the following actions in advance of the Spring ’22 release schedule. This change applies to Lightning Out and other Lightning apps in Lightning Experience and all versions of the Salesforce app.
After the change is enforced with the Spring ‘22 release, and the requesting domains aren’t added to the CORS allowlist, it may result in broken images paths, broken scripts, or other changes to functionality. If you are a Salesforce Enterprise, Unlimited or Performance Edition customer, you should take the following steps to determine impact:
- Log in to your organization. Navigate to the Event Log File Browser application and click Production Login.
- Set Start Date to today’s date.
- Select the CorsViolation event type for your search.
- Choose the Interval Value of “Daily.
- If you do not see the “Interval Value” field, then you can skip this step.
- Click Apply.
If the resulting count is 0, then your organization isn’t affected by this release update.
If the resulting count is not 0, then your organisation is affected by the update.
To view the domains that are affected by the update, select the CORS Violation Record and click Apply. This will return the domains that are impacted by the update.
If you are a Professional Edition customer you should contact Salesforce Support to determine impact.
Managing the impact of this change
To avoid disruptions at the time of release, it is advised that you test the release update in advance of enforcement with the Spring ’22 release schedule using these steps:
- Enter Release Updates in the Setup Quick Find box. Find the release update you’d like to test, and click View Details or Get Started. Perform the following steps:
- Identify the domains that are affected by this release update by following the identification steps outlined previously.
- Investigate affected domains to evaluate their purposes for actively using Salesforce assets.
If you trust the domain and want to allow assets to work on those domains, then add the domains to the CORS allowlist. For specific instructions, follow the steps outlined in this Developer Guide.
After adding the domain to your CORS allowlist, test the domain again with the Release Update enabled to ensure that the site works as expected.
Repeat for all affected domains.
We have put together a list of resources that can help you navigate through these changes:
Release Notes: Enforce CORS Allowlist for Lightning Apps
Salesforce Help: Use CORS to Access Salesforce Resources from Web Browsers
Lightning Web Components Developer Guide: Use Components Outside Salesforce with Lightning Out (Beta)