Add an origin to the CSP allowlist so Lightning and Experience Cloud pages can load resources from it. Check the violations list first to confirm the exact origin and directive you need.
- Open the Trusted URLs page
From Setup, type Trusted URLs in the Quick Find box and select Trusted URLs. Review the Trusted URL and Browser Policy Violation List to see which origins and directives are being blocked.
- Create the entry
Click New Trusted URL. Give it a clear API Name, enter the exact origin in the URL field (https and a specific subdomain where possible), and leave Active selected when you want it live.
- Set context and directives
Choose the CSP Context (All, Lightning Experience, Experience Cloud sites, or Visualforce). Tick only the CSP directives the integration uses, such as connect-src for fetch calls or frame-src for embedded iframes.
- Save and verify
Save the entry, then reload the affected page and confirm the resource loads. Re-check the violations list after a day to make sure the blocked entry clears and no new origin appears.
Unique developer name for the entry, used by the CspTrustedSite metadata and in packaging.
The external origin you are allowing, entered as an HTTPS URL; prefer a precise subdomain over a parent domain.
Where the entry applies: All, Lightning Experience, Experience Cloud sites, or Visualforce.
The resource types this origin may serve, chosen as checkboxes (connect-src, frame-src, img-src, style-src, font-src, media-src).
- Adding the origin but ticking the wrong directive is the top reason a resource still fails; match the directive to the violation row.
- Remote Site Settings and Named Credentials cover Apex server-side callouts, not browser loads; a Trusted URL will not authorize an Apex callout.
- Keep the total CSP header under 12 KB; problems appear near 16 KB because third parties can add to the header in transit.
- The Active checkbox lets you stage an entry, but an inactive entry does nothing, so confirm it is active before testing.