Choose a CSP Level for lightning:container (Developer Preview)

The lightning:container component allows you to upload an app developed with a third-party framework as a static resource, and host the content in a Lightning component. You can specify the Content Security Policy (CSP) and the landing page of your content with a JSON file in your static resource, giving you more fine-grained control over the security of your content.

CSP is an added layer of security that helps prevent certain types of attack, like Cross-Site Scripting and data injection attacks. A CSP header specifies a policy that allows certain elements of a web page (such as images, video, or other media) to be loaded from a specified set of domains.

Specify a CSP level and a landing page for your app by adding a manifest.json file to the static resource referenced by lightning:container. The manifest.json file is optional, and represents a JSON array of pages within your app. If you don’t include a manifest file in your static resource, the landing page of your app must be named index.html.

This example manifest.json includes three pages: index.html, foo.html, and bar.html.
{
    "landing-pages" : [
        {
            "path": "index.html",
            "content-security-policy-type": "lightning"
        },
        {
            "path": "foo.html",
            "content-security-policy-type": "minimum"
        },
        {
            "path": "bar.html",
            "content-security-policy-type": "custom"
            "content-security-policy": "default-src *;"
        },
    ]
 }

Each page in your app can have a CSP level of Lightning, minimum, or custom.