Improve Security by Isolating Untrusted Third-Party Content with iframes

You can now isolate HTML static resources on a separate domain using iframes. Using a separate domain to embed information from untrusted sources protects your Visualforce content.

Where: This feature applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce app in Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: To reference a static HTML file on a separate domain, use $IFrameResource.<resource_name> as a merge field, where resource_name is the name you specified when you uploaded the static resource.