Critical Updates

This release includes new critical updates for Lightning components, formulas, Apex controllers, and email notifications. We delayed the critical update that allows you to enable CSRF protection on GET requests to Visualforce pages. And we canceled the critical update that disables access to Lightning Experience and Salesforce1 from IE11.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

New Critical Updates

These critical updates are brand new in Summer ’17.

Stricter CSP Restrictions
Stricter Content Security Policy (CSP) restrictions have been decoupled from LockerService and aren't enforced in production orgs in Summer ’17. Instead, to give you more time to update your code to work with stricter CSP, the stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs.
Block Execution of JavaScript in the HYPERLINK Function
Previously, you could use JavaScript to prepare the URL argument in a HYPERLINK function. However, this approach introduces a security vulnerability because JavaScript can include cross-site scripting and make the URL execute on behalf of users. This critical update blocks the execution of JavaScript used to specify a URL in the HYPERLINK function.
Disable Access to Non-global Apex Controller Methods in Managed Package
This critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Lightning components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
Stop Automated Field Updates from Suppressing Email Notifications
For various operations, such as assigning a task to someone, you can choose to notify the affected user by email. This update stops processes, workflow rules, and Apex triggers from suppressing these email notifications.
POST Method for runTestsSynchronous Requires View Setup Permission
View Setup user permission now required to run tests synchronously using the post method for /runTestsSynchronous/.

Pre-Existing Critical Updates

This critical update was announced in a previous release and is still available.

Make Encrypted Data Visible to Authorized Users
Encrypted data is visible onscreen—that is, it’s not hidden by masking characters—when you activate this critical update. To hide data from unauthorized users, you must use field-level and object-level security, regardless of whether the data is encrypted. The View Encrypted Data permission is not available.

Enforced Critical Updates

LockerService, which has been a critical update since Summer ’16, is enforced for all orgs in Summer ’17. However, to reduce the impact on existing components, we adjusted the activation process.
Add Clickjack Protection for Legacy Browsers to Visualforce Pages Without Page Header
Clickjack protection for legacy browsers was a critical update in Winter ’17 and was enforced for all orgs on February 10, 2017. This critical update extends legacy browser-compatible clickjack protection for Visualforce pages that set showHeader="false" and are configured to use API versions 26.0 or earlier.

Postponed Critical Updates

Allow CSRF Protection on GET Requests to Visualforce Pages
This critical update, released in Spring ’17, was scheduled for auto-activation in Summer ’17, but has been postponed to October 15, 2017. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.

Canceled Critical Updates

“Disable Access to Lightning Experience and the Salesforce1 Mobile Browser App from IE11” Critical Update Canceled
The timetable for the end of support date for Internet Explorer version 11 (IE11) for Lightning Experience has changed significantly. As a result, this critical update has been canceled.