CSP Trusted Sites

When to Use

Use this skill whenever the application references a new external domain that is not already registered as a CSP Trusted Site. This includes:

• Adding images from a new CDN (Unsplash, Pexels, Cloudinary, etc.)
• Loading fonts from an external provider (Google Fonts, Adobe Fonts)
• Calling a third-party API (Open-Meteo, Nominatim, Mapbox, etc.)
• Loading map tiles from a tile server (OpenStreetMap, Mapbox)
• Embedding iframes from external services (YouTube, Vimeo)
• Loading external stylesheets or scripts

Salesforce enforces Content Security Policy (CSP) headers on all web applications. Any external domain not registered as a CSP Trusted Site will be blocked by the browser, causing images to not load, API calls to fail, or fonts to be missing.

Reference: Salesforce CspTrustedSite Object Reference