Specifying a CSP Level

Specify the Content Security Policy (CSP) of lightning:container to give yourself more flexibility while developing your app.

CSP is an added layer of security that helps prevent certain types of attack, like Cross-Site Scripting and data injection attacks. A CSP header specifies a policy that allows certain elements of a web page (such as images, video, or other media) to be loaded from a specified set of external domains.

Specify a CSP level and a landing page for your app by adding a manifest.json file to the static resource referenced by lightning:container. The manifest.json file is optional, and represents a JSON array of pages within your app. If you don’t include a manifest file in your static resource, the landing page of your app must be named index.html.

This example manifest.json includes three pages: index.html, foo.html, and bar.html.
{
    "landing-pages" : [
        {
            "path": "index.html",
            "content-security-policy-type": "lightning"
        },
        {
            "path": "foo.html",
            "content-security-policy-type": "minimum"
        },
        {
            "path": "bar.html",
            "content-security-policy-type": "custom"
            "content-security-policy": "default-src *;"
        },
    ]
 }

Each page in your app can have a CSP level of Lightning, minimum, or custom.

CSP Level Description
Lightning Default. Allows content to be loaded only from the Lightning domain. This value provides the greatest security.
Minimum
default-src self 'unsafe-eval'; style-src self 'unsafe-inline';

The minimum CSP also includes a frame-ancestors attribute that restricts the ancestors of the Lightning container iframe.

Custom User-specified. In a CSP header, you can specify the default-src, img-src, media-src, script-src, and other directives. For more information on the syntax and uses of CSP headers, see the Content Security Policy Reference.

The default CSP of lightning:container is Lightning. A CSP of Lightning allows content to be loaded only from the Lightning and Visualforce domains. If you don’t include a manifest.json file in your static resource, it’s given a CSP level of Lightning. If you do include a manifest.json file, but do not specify the content-security-policy-type for one of the pages included, it’s given a CSP level of Lightning.

The CSP header of your content is also given a frame-ancestors attribute that restricts the iframe ancestor to provide clickjack protection.