LockerService Enforcement Is Dependent on the API Version
LockerService, a powerful security architecture for custom Lightning components, is enforced for all Lightning components created in Summer ’17 (API version 40.0) and later. LockerService isn’t enforced for components with API version 39.0 and lower, which covers any component created before Summer ’17.
Stricter Content Security Policy (CSP) Restrictions Aren’t Enforced
The stricter CSP restrictions, which mitigate the risk of cross-site scripting attacks, have been decoupled from LockerService and aren’t enforced in production orgs in Summer ’17. Instead, the stricter CSP changes are available in two new critical updates—one for Communities and one for other contexts—which you can activate in sandbox or Developer Edition orgs. These critical updates give you more time to update your code to work with stricter CSP.