Trusted URL and Browser Policy Violations
Trusted URL and Browser Policy Violations is a Setup page that logs instances where browsers blocked content due to Content Security Policy (CSP) violations.
Definition
Trusted URL and Browser Policy Violations is a Setup page that logs instances where browsers blocked content due to Content Security Policy (CSP) violations. It helps administrators identify and resolve issues where custom JavaScript, iframes, or external resources are being blocked by the browser's security policies.
In plain English
“Here's a simple way to think about it: Trusted URL and Browser Policy Violations is your CSP debugger of last resort. Lightning's Content Security Policy blocks external resources silently; this page surfaces the silent blocks so you can debug.”
Worked example
Users at CloudSync report that a custom Lightning component's interactive chart is not rendering. The admin checks Trusted URL and Browser Policy Violations and finds CSP violation entries showing that the chart library's CDN domain is being blocked. She adds the CDN URL to the Trusted URLs list, and the chart renders correctly on the next page load.
Why Trusted URL and Browser Policy Violations is your CSP debugger of last resort
Lightning's Content Security Policy (CSP) blocks external resources - scripts, images, iframes, styles - that aren't on the trusted-URL list. The block happens silently in the browser; the user sees broken functionality, the developer sees nothing in the Salesforce logs. Trusted URL and Browser Policy Violations is the page that surfaces those silent blocks. Each row is a specific resource a browser refused to load, with the URL, the directive that failed, and the page that triggered it.
The reason it deserves a bookmark when you build custom Lightning components is that "it works on my machine" is meaningless against CSP. The check happens in each user's browser, and policy can vary by browser version. Use this page during development to find the URLs you need to add to Trusted URLs, and keep an eye on it after deployment to catch the new ones that emerge as third-party services move endpoints.
How to set up Trusted URL and Browser Policy Violations
Trusted URL and Browser Policy Violations is the read-only log of Content Security Policy (CSP) violations Salesforce caught — your custom Lightning components, Visualforce pages, or embedded scripts trying to load resources from URLs not in your Trusted URLs allowlist. The first stop when something "isn't loading" in a custom UI.
- Open Setup → Trusted URL and Browser Policy Violations
Setup gear → Quick Find: Trusted URL → Trusted URL and Browser Policy Violations.
- Review the recent violations list
Each row: Violation Time, Affected Page (Lightning App, Visualforce page), Blocked URL, CSP Directive (script-src / connect-src / etc.).
- Identify whether violations are legitimate or malicious
Most are legitimate — your custom code calling an external API that isn't in Trusted URLs. Malicious would be unfamiliar URLs hitting unfamiliar pages.
- For legitimate: add the URL to Setup → Trusted URLs
Setup → Trusted URLs → New Trusted URL → URL pattern + CSP directives. The blocked URL becomes allowed; refresh the page; violation should not recur.
- For malicious or suspicious: investigate the source
Lightning Component or Visualforce making an unexpected callout could indicate compromised code. Audit recent deploys.
- Repeat regularly during custom-component development
Violations log fills up during dev — drives the Trusted URL backlog. Clear violations after fixing.
Last 24h / 7d / 30d. Default 7d.
Drill to specific Lightning App or Visualforce page producing violations.
script-src / connect-src / frame-src / img-src / etc.
- Browsers enforce CSP at runtime. If a violation appears here, the user's browser already blocked the resource — the page rendered partially or broke. Fix violations promptly during development.
- Some violations come from third-party libraries loading internal resources. The fix may require adding multiple URLs (the library's CDN, plus its callback domains).
- Violations only log when the user's browser sends a CSP violation report. Some browsers / extensions block reporting — you may have unreported violations producing silent UI breakage.
How organizations use Trusted URL and Browser Policy Violations
Identified missing Trusted URLs through this log; custom Lightning component finally rendered correctly across browsers.
Quarterly review catches new third-party endpoints that need allowlisting before users complain.
Trust & references
Straight from the source - Salesforce's reference material on Trusted URL and Browser Policy Violations.
- Manage Trusted URLsSalesforce Help
Test your knowledge
Q1. Why is understanding Trusted URL and Browser Policy Violations important for Salesforce admins?
Q2. In which area of Salesforce would you typically find Trusted URL and Browser Policy Violations?
Q3. What is the primary benefit of Trusted URL and Browser Policy Violations for Salesforce administrators?
Discussion
Loading discussion…