Lightning Container Components Have New Security Enhancements

The <lightning:container> component checks that the component’s namespace matches its static resource’s namespace. The component also generates a confirmation token to ensure that raw <iframe> elements aren’t used.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the mobile app in all editions.

How: For instance, if the <lightning:container> component has the namespace “vendor1,” the static resource’s namespace must also be “vendor1.” If the namespaces are different, an error message appears.

<aura:component>
  <lightning:container
    src="{!$Resource.vendor1__resource + '/code_belonging_to_vendor1'}"
      onmessage="{!c.vendor1__handles}"/>
<aura:component>

Raw <iframe> elements are not permitted in Lightning container components. This rule is enforced by the required query parameter _CONFIRMATIONTOKEN, which generates a unique ID for each user session. Instead, use the $Resource global value provider to build the resource URL for the <lightning:container> component.

<aura:component>
  <lightning:container
    src="{!$Resource.vendor2__resource + '/index.html' }"/>
</aura:component>