LockerService
- Primary and preferred isolation mechanism for the Lightning Component Framework.
- LockerService wraps standard objects like:
- window, document, and element inside a secure version of these objects:
- SecureWindow, SecureDocument and SecureElement
- window, document, and element inside a secure version of these objects:
- Provides controlled access to APIs and regions of the DOM
- When components are loaded, they are provided with the secure wrappers (secureWindow and secureDocument) in lieu of the standard objects (window and document)
- When a component invokes a method on the document or window object, the secure wrapper can apply appropriate security restrictions
Access - namespace-based access control mechanism
Access to the DOM of another component will be:
- Granted if the other component is in the same namespace
- Denied if the other component is in a different namespace
Enforcements - Industry best practices
LockerService enforces :
- JavaScript ES5 strict mode is automatically enabled, similar to:
// Whole-script strict mode syntax 'use strict'; var v = "Hi! I'm a strict mode script!";
Libraries that do not support strict mode will not work with LockerService
Content Security Policy (CSP):
- Unsafe-eval and unsafe-inline are disallowed
- Libraries using eval() or inline JavaScript code execution will not work with LockerService.
LockerService advantages
- No iframe. Components live in the same DOM (better performance)
- Straightforward, natural communication between components
- Cohesive UI
- Eliminates DOM scraping vulnerabilities
- Mitigates the impact of developer mistakes such as the lack of proper escaping
- Cross-site scripting (XSS) and template injection are no longer possible
- Eliminate server-side action invocation/spoofing
LockerService Limitations
- Non-compliant libraries will not work with LockerService