Completely unrelated to the “Invalid Crypto Key” error we ran into last month, a SINGLE one of our client’s (so far) Salesforce Partial sandboxes is now getting CORS errors from Box (using the Box SDK in a LWC) w/o making any changes to the component code, Salesforce, or Box config. We use this same lower level utility LWC code across about a dozen different client’s Salesforce Org’s, including dozens of total sandboxes & Production envs, and no other env is encountering this error...yet.

I’ve opened a case w/ Salesforce Partner Community support and they’re running out of ideas, our Box CORS config is unchanged and includes the URL that’s throwing the CORS error, we’ve added and removed the domain back w/ & w/o the trailing slash and didn’t make a difference.

I upgraded to the latest 4.91 version of the Box for Salesforce managed package since it adds a couple of extra Trusted URL’s...didn’t make a difference.

The “Invalid Crypto Key” error also started as a single client’s Partial sandbox a couple of months ago, and it slowly spread across them in what I’m still convinced was a Salesforce rolling wave by wave deployment security library patch. I’m creating escalation paths w/ both Box & Salesforce as if this spreads like the last issue did, it will impact dozens of sandboxes & Production instances for us. Anyone have any ideas or seeing any of the same yet?