LockerService

  • Primary and preferred isolation mechanism for the Lightning Component Framework.
  • LockerService wraps standard objects like:
    • window, document, and element inside a secure version of these objects:
      • SecureWindow, SecureDocument and SecureElement
  • Provides controlled access to APIs and regions of the DOM
  • When components are loaded, they are provided with the secure wrappers (secureWindow and secureDocument) in lieu of the standard objects (window and document)
  • When a component invokes a method on the document or window object, the secure wrapper can apply appropriate security restrictions

Access - namespace-based access control mechanism

Access to the DOM of another component will be:

  • Granted if the other component is in the same namespace
  • Denied if the other component is in a different namespace

Enforcements - Industry best practices

LockerService enforces :

  • JavaScript ES5 strict mode is automatically enabled, similar to:
    // Whole-script strict mode syntax
    'use strict';
    var v = "Hi! I'm a strict mode script!";
    
  • Libraries that do not support strict mode will not work with LockerService

  • Content Security Policy (CSP):

    • Unsafe-eval and unsafe-inline are disallowed
    • Libraries using eval() or inline JavaScript code execution will not work with LockerService.

LockerService advantages

  • No iframe. Components live in the same DOM (better performance)
  • Straightforward, natural communication between components
  • Cohesive UI
  • Eliminates DOM scraping vulnerabilities
  • Mitigates the impact of developer mistakes such as the lack of proper escaping
  • Cross-site scripting (XSS) and template injection are no longer possible
  • Eliminate server-side action invocation/spoofing

LockerService Limitations

  • Non-compliant libraries will not work with LockerService

results matching ""

    No results matching ""