1. Blog
    2. Preparing for CORS Allowlist updates for Lightning Apps

    Preparing for CORS Allowlist updates for Lightning Apps

    If your organisation uses lightning apps and has one or more external domains calling on your Salesforce resources then you will need to ensure that they are added to the Cross-Origin Resource Sharing (CORS) Allowlist in preparation of the February 1 2022 Update.

    • Cross-Origin Resource Sharing (CORS) allowlist is a list of external domains that you allow to call on your Salesforce resources.  By setting these up in this list you are allowing these domains to access important information from your Salesforce.

      From 1 February 2022, Salesforce will be implementing security change updates that will affect the access of these external domains.  Currently the CORS allowlist in Setup isn’t enforced for Lightning apps on the server though it’s enforced on the browser. This update will enforce the allowlist on the server so that disallowed requests are blocked earlier and not processed on the server. 

      How to Prepare for the Changes

      To avoid disruptions at the time of enforcement, perform the following actions in advance of the Spring ’22 release schedule.  This change applies to Lightning Out and other Lightning apps in Lightning Experience and all versions of the Salesforce app.

      After the change is enforced with the Spring ‘22 release,  and the requesting domains aren’t added to the CORS allowlist, it may result in broken images paths, broken scripts, or other changes to functionality.  If you are a Salesforce Enterprise, Unlimited or Performance Edition customer, you should take the following steps to determine impact:

      • Log in to your organization. Navigate to the Event Log File Browser application and click Production Login.
      • Set Start Date to today’s date.
      • Select the CorsViolation event type for your search.
      • Choose the Interval Value of “Daily.
      • If you do not see the “Interval Value” field, then you can skip this step.
      • Click Apply.

      If the resulting count is 0, then your organization isn’t affected by this release update.

      If the resulting count is not 0, then your organisation is affected by the update. 

      To view the domains that are affected by the update, select the CORS Violation Record and click Apply. This will return the domains that are impacted by the update.

      If you are a Professional Edition customer you should contact Salesforce Support to determine impact.​​​​​​​

      Managing the impact of this change

      To avoid disruptions at the time of release, it is advised that you test the release update in advance of enforcement with the Spring ’22 release schedule using these steps:

      • Enter Release Updates in the Setup Quick Find box. Find the release update you’d like to test, and click View Details or Get Started. Perform the following steps:
      • Identify the domains that are affected by this release update by following the identification steps outlined previously.
      • Investigate affected domains to evaluate their purposes for actively using Salesforce assets.

      If you trust the domain and want to allow assets to work on those domains, then add the domains to the CORS allowlist. For specific instructions, follow the steps outlined in this Developer Guide.

      After adding the domain to your CORS allowlist, test the domain again with the Release Update enabled to ensure that the site works as expected.

      Repeat for all affected domains.

      We have put together a list of resources that can help you navigate through these changes:

      Release Notes: Enforce CORS Allowlist for Lightning Apps

      Salesforce Help: Use CORS to Access Salesforce Resources from Web Browsers

      Lightning Web Components Developer Guide: Use Components Outside Salesforce with Lightning Out (Beta)

  • Getting Ready for Multi-Factor Authentication

    Salesforce will be switching to MFA from 1 February 2022. From this date, all Salesforce customers will be contractually required to use MFA in order to access Salesforce products. We have created this article about what it is and what steps your team will need to take to set this up.

    Learn More

  • 3 Tips for Not-for-Profit CRM Migration

    Is your NFP business migrating to a new CRM system? Here’s what you need to know.

    Learn More

  • Salesforce Spring ‘22 Release Highlights

    Spring ‘22 Highlights are here and it is exciting to hear that all production and sandbox environments will be upgraded to Spring ’22 by February 14, 2022.
    There are a lot of new features that will be introduced so we have hand picked some of the best highlights for you in this upcoming release.

    Learn More