Salesforce Lightning Locker Tools

Lightning Locker tools help you develop more secure code that is compatible and runs efficiently with Lightning Locker.

Lightning Locker API Viewer

Locker API Viewer shows Lightning Locker’s support of the standard DOM APIs in the Window, Document, and Element objects. The SecureWindow, SecureDocument, and SecureElement wrappers prevent the use of APIs that are labeled Not Supported.

Locker Console Overview

Use Locker Console to check your JavaScript code’s compatibility with Lightning Locker, and compare how it runs with Lightning Locker enabled and disabled.

MIME Types Permitted - MIME Types Permitted | Lightning Aura Components Developer Guide | Salesforce Developers

Lightning Locker analyzes the MIME types used in Blob objects. Locker permits some MIME types, sanitizes some MIME types, and blocks the rest.

Lightning Locker allows these MIME types.

application/octet-stream — Default value for binary files
application/json — JSON format
application/pdf — Portable Document Format (.pdf)
video/ — All video/* mime types
audio/ — All audio/* mime types
image/ — All image/* mime types
font/ — All font/* mime types
text/plain — Text (.txt)
text/markdown — Markdown (.md)
application/zip — Zip archive (.zip)
application/x-bzip — Bzip archive (.bz)
application/x-rar-compressed — RAR archive (.rar)
application/x-tar — Tape archive (.tar)

Locker sanitizes text/html, image/svg+xml, and text/xml MIME types. These types are permitted but Locker removes potentially malicious code.

Any other types are blocked with the error message Unsupported MIME type.

To send binary files that are not explicitly permitted, specify the MIME type as application/octet-stream.

Secure Wrappers - Secure Wrappers | Lightning Aura Components Developer Guide | Salesforce Developers 

For security, Lightning Locker restricts the use of global objects by hiding an object or by wrapping it in a secure version of the object. For example, the secure version of window is SecureWindow. Locker intercepts calls to window and uses SecureWindow instead. Some methods and properties have different behavior or aren’t available on the secure objects.

Lightning Locker also replaces instances of other objects, such as components and events, with secure wrapped versions. 

Here’s a list of the most common wrappers that you encounter.

  • SecureAura
  • SecureComponent
  • SecureComponentRef
  • SecureDocument
  • SecureElement
  • SecureObject
  • SecureWindow


Comments

Popular posts from this blog

Introduction to Salesforce Agent Script: Build Predictable AI Agents

Anti-Patterns in Salesforce Agentforce: What to Avoid When Building AI Agents

MCP vs. Traditional APIs: Choosing the Right Integration Approach