Wrote more about the Salesforce bug on my blog – one key detail is that Salesforce were using a CSP header to prevent loading images from untrusted domains… but one of their allow-listed domains had expired!

→ View original post on X — @simonw,