CSP is an added layer of security that helps prevent certain types of attack, like Cross-Site Scripting and data injection attacks. A CSP header specifies a policy that allows certain elements of a web page (such as images, video, or other media) to be loaded from a specified set of external domains.
Specify a CSP level and a landing page for your app by adding a manifest.json file to the static resource referenced by lightning:container. The manifest.json file is optional, and represents a JSON array of pages within your app. If you don’t include a manifest file in your static resource, the landing page of your app must be named index.html.
{ "landing-pages" : [ { "path": "index.html", "content-security-policy-type": "lightning" }, { "path": "foo.html", "content-security-policy-type": "minimum" }, { "path": "bar.html", "content-security-policy-type": "custom" "content-security-policy": "default-src *;" }, ] }
Each page in your app can have a CSP level of Lightning, minimum, or custom.
CSP Level | Description |
---|---|
Lightning | Default. Allows content to be loaded only from the Lightning domain. This value provides the greatest security. |
Minimum |
default-src self 'unsafe-eval'; style-src self 'unsafe-inline'; The minimum CSP also includes a frame-ancestors attribute that restricts the ancestors of the Lightning container iframe. |
Custom | User-specified. In a CSP header, you can specify the default-src, img-src, media-src, script-src, and other directives. For more information on the syntax and uses of CSP headers, see the Content Security Policy Reference. |
The default CSP of lightning:container is Lightning. A CSP of Lightning allows content to be loaded only from the Lightning and Visualforce domains. If you don’t include a manifest.json file in your static resource, it’s given a CSP level of Lightning. If you do include a manifest.json file, but do not specify the content-security-policy-type for one of the pages included, it’s given a CSP level of Lightning.
The CSP header of your content is also given a frame-ancestors attribute that restricts the iframe ancestor to provide clickjack protection.