Salesforce Spring ’25 Update: Important Changes to CSP Directives & Sprout iframe

Starting with Salesforce’s Spring ’25 release, stricter Content Security Policy (CSP) directives will be enforced on Lightning Pages. These new rules are designed to keep your Salesforce environment secure by preventing cross-site scripting and other code injection attacks that can occur from loading externally hosted resources like scripts, fonts, images, audio, video and stylesheets in Salesforce Lightning Web Pages.

What This Means for Sprout Social Users

This update will block the Sprout Social iframe from loading in the Lightning Web Component used in your Case page layout—unless you make a few easy changes to avoid any disruptions.

Here’s what to do:

Add sproutsocial.com as a Trusted URL: Ensure Sprout Social can continue to load smoothly by adding it as a trusted source. Be sure to select “frame-src” as the directive that allows iframes from this URL to load.
Upgrade to Version 1.5: Head over to the AppExchange and upgrade to the latest version of the managed package. This version includes a built-in component that automatically adds *sproutsocial.com as a trusted URL for iframes.

You can check your current settings by going to Setup > Security > Session Settings > Content Security Policy (CSP) Directive Rendering. Look for the option to adopt the updated CSP directives, which will be automatically applied when Spring 25 rolls out.