Lightning Container Component Security Requirements

Ensure that your Lightning container components meet security requirements.

Namespace Validity

The Lightning container component’s security measures check the validity of its namespaces. Suppose that you develop a <lightning:container> component with the namespace “vendor1.” The static resource’s namespace must also be “vendor1.” If they don’t match, an error message appears.

<aura:component>
  <lightning:container
    src="{!$Resource.vendor1__resource + '/code_belonging_to_vendor1'}"
    onmessage="{!c.vendor1__handles}"/>
<aura:component>

Static Resource Content Access

You can’t use raw <iframe> elements to access a Lightning container component. The <lightning:container> component enforces this requirement with the query parameter _CONFIRMATIONTOKEN, which generates a unique ID for each user session. The following code isn’t permitted, because the <iframe> src attribute doesn’t contain a _CONFIRMATIONTOKEN query parameter.

<aura:component>
  <iframe src="https://domain--vendor2.container.lightning.com/lcc/123456/vendor2__resource/index.html"/>
</aura:component>

Instead, use the $Resource global value provider to build the resource URL for the <lightning:container> component.

<aura:component>
  <lightning:container
    src="{!$Resource.vendor2__resource + '/index.html' }"/>
</aura:component>

Distribution Requirements

To upload a package to AppExchange, you must supply all the Lightning container component’s original sources and dependencies. When you provide minified or transpiled code, you must also include the source files for that code and the source map (.js.map) files for the minified code.