Critical Updates

We’re enforcing the critical update that blocks execution of JavaScript in the HYPERLINK function. And we delayed the critical update that routes records to the right approval process when they’re submitted behind the scenes.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

Pre-Existing Critical Updates

This critical update was announced in a previous release and is still available.

Critical Updates for Stricter CSP Restrictions
Stricter Content Security Policy (CSP) restrictions have been decoupled from LockerService and aren't enforced in production orgs in Winter ’18. Instead, to give you more time to update your code to work with stricter CSP, the stricter CSP changes are available in two critical updates that affect only sandbox and Developer Edition orgs.

Enforced Critical Updates

Block Execution of JavaScript in the HYPERLINK Function To Be Enforced (Critical Update)
Blocking execution of JavaScript in the HYPERLINK function was a critical update in Summer ’17 and will be activated automatically for all orgs on October 30, 2017. This change was phased in over several releases. It addresses a security vulnerability that arises when you use JavaScript in the URL argument of a HYPERLINK function. The JavaScript can include cross-site scripting and make the URL execute on behalf of users.
Allow CSRF Protection on GET Requests to Visualforce Pages To Be Enforced (Critical Update)
Allow CSRF Protection on GET Requests to Visualforce Pages was a critical update in Spring ’17 and will be enforced for all orgs on October 15, 2017. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.

Postponed Critical Updates

“Make Sure Records that Are Submitted Behind the Scenes Are Routed to the Right Approval Process” Critical Update Postponed
This critical update, released in Summer ’16, was scheduled for auto-activation in Spring ‘18, but has been postponed to Winter ‘19.