Definition
Trusted URLs is a Setup page where administrators add external URLs to the Content Security Policy (CSP) allowlist, permitting Salesforce Lightning pages to load scripts, styles, images, and frames from those domains. Without an allowlist entry, browsers block external content for security reasons.
Real-World Example
The admin at Apex Dynamics adds "https://cdn.chartlibrary.com" and "https://maps.googleapis.com" to Trusted URLs so that a custom Lightning component can load an external charting library and Google Maps embed. Before adding these entries, the browser's CSP blocked both resources and the component displayed error messages.
Why Trusted URLs Matters
Trusted URLs is a Setup page where administrators manage the Content Security Policy (CSP) allowlist for their Salesforce org. Modern browsers enforce CSP to prevent cross-site scripting attacks by blocking any external resource — scripts, stylesheets, images, fonts, and iframes — that is not explicitly permitted. When a custom Lightning component needs to load a JavaScript library from a CDN, embed a Google Maps widget, or display images from an external server, the administrator must add that domain to the Trusted URLs list with the appropriate CSP directives. Without this entry, the browser silently blocks the resource and the component fails.
As organizations adopt more third-party integrations and build sophisticated Lightning components, the Trusted URLs list grows and requires governance. Each domain added to the allowlist is a security decision — granting script-src permission to an external domain means that domain can execute JavaScript in the context of your Salesforce page. Organizations that add domains too liberally increase their exposure to supply chain attacks if a trusted CDN is compromised. Best practice is to allowlist only the specific domains needed, use the most restrictive directive that satisfies the requirement, and periodically audit the list to remove domains that are no longer in use. Failing to manage this list leads to either broken components or an unnecessarily large attack surface.
How Organizations Use Trusted URLs
- Apex Dynamics Corp — Apex Dynamics' admin adds cdn.chartlibrary.com with script-src and style-src directives, plus maps.googleapis.com with frame-src, to enable a custom Lightning dashboard component. Before these entries, the component displayed error messages and blank spaces where the chart and map should have rendered.
- WaveRider Marketing — WaveRider adds their marketing automation platform's domain to Trusted URLs with img-src permission so that email tracking pixels and campaign images render correctly within Salesforce's embedded email preview. This targeted permission lets images load without granting the marketing platform script execution rights.
- IronClad Security Services — IronClad conducts quarterly audits of their Trusted URLs list, removing 8 domains associated with tools they decommissioned over the past year. This cleanup reduces their CSP allowlist from 23 to 15 entries, tightening their security posture and ensuring that only actively used external resources have permission to load within their Salesforce pages.