KI-121

Salesforce Summer ’24: CSP directives prevent Microsoft 365™ iframes from loading

Created date

05/17/2024

Updated date

08/22/2024

Status

Backlog

Related work item

PLTFM-2721

Description

As part of Salesforce’s Summer ’24 release, Salesforce is updating the content security policy (CSP) directives for Lightning pages. This prevents Microsoft 365 domains that are embedded as iframes in Lightning pages from loading and may prompt an error in your browser.

For more information about CSP rules and trusted URLs, reference Salesforce's documentation.

Affects version(s)

All versions

Impacted capabilities

N/A

Steps to reproduce

Ensure that your org has both of the following:
- the Salesforce Summer '24 release with the Adopt Updated Content Security Policy (CSP) Directives release update enabled
- the Microsoft 365™ integration
Create a Document record with a Microsoft 365 file (e.g., upload a .doc file).
Check out the document in Microsoft 365.
Check the document back in. In the Check In Document modal, notice how the preview of the Microsoft 365 file does not load.

Workaround

To ensure that Microsoft 365 iframes load as expected, configure Microsoft 365 as a trusted site:

In Settings, search for and select to Trusted URLs.

Create five new trusted URLs.

API Name	URL
`Office`	`*.mcm.mavens.com`
`Office_Auth`	`*.mcm.auth.mavens.com`
`MCM_KomodoHealth`	`*.mcm.komodohealth.com`
`MCM_Auth_Staging`	`mcm--staging.auth.us-west-1.amazoncognito.com`
`MCM_Auth`	`mcm.auth.us-west-1.amazoncognito.com`

Under CSP Directives, check all of the checkboxes for every trusted URL.
- connect-src (scripts)
- font-src (fonts)
- frame-src (iframe content)
- img-src (images)
- media-src (audio and video)
- style-src (stylesheets)
Leave all other values as they are.

For more information about CSP rules and trusted URLs, reference Salesforce's documentation.

Fix version

Resolution notes

KI-121

Salesforce Summer ’24: CSP directives prevent Microsoft 365™ iframes from loading

Search results