Salesforce Locker Service

Salesforce Locker Service is a security architecture provided by Salesforce for Lightning components. It aims to improve the security of the Lightning Component Framework by enforcing stricter JavaScript security policies and DOM access restrictions. Locker Service enhances the security and stability of Lightning components

Enabling Locker Service Provides the following features

Namespace Isolation: Locker Service isolates Lightning components in their own namespace, preventing them from accessing or modifying components in other namespaces. This isolation helps prevent conflicts and ensures that components behave predictably.

Secure DOM Access: Locker Service provides a secure wrapper around the Document Object Model (DOM), preventing Lightning components from accessing or modifying elements outside of their own DOM hierarchy. This helps mitigate security vulnerabilities such as cross-site scripting (XSS) attacks.

Strict JavaScript Context: Locker Service enforces strict JavaScript rules within Lightning components, prohibiting the use of global variables and functions that could potentially introduce security vulnerabilities or conflicts with other components.

API Versioning: Locker Service is versioned, allowing Salesforce to introduce new security enhancements and bug fixes without breaking existing Lightning components. Developers can specify the version of Locker Service to use in their Lightning components.

Example

<!-- SampleComponent.cmp -->

<aura:component>

    <aura:handler name="init" value="{!this}" action="{!c.doInit}"/>

</aura:component>

// SampleComponentController.js
({
    doInit : function(component, event, helper) {
        console.log(window.location.href);
    }
})

Without Locker Service enabled, this Lightning component would output the current URL to the console when initialized. However, with Locker Service enabled, this code would throw an error because it's trying to access the window object directly, which is not allowed.

To make this component Locker Service-compatible, we can use the $A.get() method to access the window location:

<!-- SampleComponent.cmp -->
<aura:component>
    <aura:handler name="init" value="{!this}" action="{!c.doInit}"/>
</aura:component>

// SampleComponentController.js
({
    doInit : function(component, event, helper) {
        var location = $A.get('$Sandbox').location.href;
        console.log(location);
    }
})

Locker Service is renamed Lightning Locker to better reflect that it is for securing code running on the Lightning Platform.

Links

$A namespace

Lightning Locker

Security with Lightning Locker

Comments

Popular posts from this blog

Introduction to Salesforce Agent Script: Build Predictable AI Agents

Anti-Patterns in Salesforce Agentforce: What to Avoid When Building AI Agents

MCP vs. Traditional APIs: Choosing the Right Integration Approach