You do not configure this page itself. The real task is reading a violation, then resolving it by trusting the right host on the Trusted URLs page. Here is the loop an admin runs to clear a blocked resource.
- Open the violations page
In Setup, use the Quick Find box to find and select Trusted URL and Browser Policy Violations. Review the entries, remembering the list only shows unique violations from the last seven days.
- Read the row carefully
For each violation, note the URL, the Resource Type, the CSP Directive, and the Violation Type. Confirm whether it is a CSP Violation (a blocked resource) or a Blocked Redirect (a stopped navigation), because they are fixed differently.
- Create the Trusted URL
Go to Trusted URLs in Setup and click New Trusted URL. Enter a name and the exact host from the violation, including the https scheme. All external resources must use HTTPS.
- Select the matching directive
Choose the CSP directive that matches the violation, such as connect-src for an API call, frame-src for an iframe, or img-src for an image. Leave Active selected so the entry takes effect immediately.
- Test, then watch for stragglers
Reload the component and exercise the feature again. Return to the violations page to confirm the entry cleared, and check back after vendor or browser updates for new violations that appear later.
The rule that blocked the resource, such as connect-src, frame-src, img-src, font-src, media-src, or style-src. You must trust the host against the same directive that appears in the violation.
Tells you whether the event was a CSP Violation (blocked asset load) or a Blocked Redirect (blocked navigation to an untrusted origin). Read this before choosing a fix.
A value of Lightning confirms the violation came from a Lightning Experience page rather than another surface, which helps you locate the component responsible.
Controls whether a trusted URL is enforced. Deselect it to temporarily disable an entry without deleting it; reselect it to restore access.
- The list retains only the last seven days of violations and a daily job purges older ones, so treat it as a live view, not an audit log.
- Reported entries are blocked only under stricter settings; many frame-src, font-src, and img-src requests are not enforced until Adopt Updated CSP Directives is enabled in Session Settings.
- For long-term history, schedule daily queries of the Blocked Redirect and CSP Violations event types in Event Monitoring, since the page itself keeps nothing past a week.