To help prevent code injection attacks, Salesforce plans to update the system-defined trusted URLs that define your site’s content security policy (CSP) in Winter ’25. Prepare for this change by reviewing the impacted resources and updating your trusted URLs.
Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Developer, and Unlimited editions.