Here is the Agenda –
1 What is Lightning Locker Service?
2 Why there is a need for Lightning Locker?
— Why do we say that browsers can be insecure?
— What is cross-site scripting(XSS)?
3 How it impacts your Lightning Components?
4 How you can enable/disable Lightning Locker
What is Lightning Locker Service ?
Lightning Locker is a layer which sits in between your browser and DOM (document object). In other words, Lightning Locker is a virtual browser that allows only secure request to go through and have access to real DOM. This virtual browser sits in front of your unsafe real browser.
Why do we say that browsers can be insecure ?
What is cross-site scripting(XSS) ?
Injecting Via Form
Injecting Via URL
How it impacts your Lightning Components
Lightning Framework is a component-based framework, where multiple components are placed together on the same page to give you a combined output. These components can be:
- Base lightning component (lightning namespace like lightning:button)
- Other out of the box components (like force, ui, aura namespace)
- Custom components (You org’s custom components, generally from “c” namespace)
- Managed/Unmanaged package components
- One component can traverse the DOM of another component. That means my managed package component can read or traverse the DOM of my Org’s custom components.
- Components can call private APIs.
- If strict mode is not enabled (without lightning locker), can lead to other security issues
Advantages of Lightning Locker Services
- A component cannot traverse the DOM of another component if another component belongs to a different namespace. Example, we cannot read the DOM of lightning base components as they belong to “lightning” namespace.
- Custom components do not have access to system APIs. Example, the custom component cannot access $A.eventService API.
- You cannot have access to external JS libraries without uploading those in the static resource.
- Salesforce authored or Out of the box components will still have unrestricted access to DOM and APIs as these components will run in System Mode.
How you can enable/disable Lightning Locker
How to disable lightning locker?
You can disable lightning locker by changing the api version of lightning component bundle to 39 or below.
How to enable lightning locker?
Lightning locker is automatically enabled for component bundles having api version 40 or above.
Here is recording of session :-
Here is PPT of session.
Thank you so much Manish Choudhari for a great session.