Salesforce Lightning Locker vs. Lightning Web Security: What’s the Deal?
Written ByAnand Dosapati
Keeping your Salesforce web apps secure on the client-side is super important, especially when you’ve got different components from various places all living together. Salesforce offers two main security systems for this: Lightning Locker and the newer Lightning Web Security (LWS). They both aim to keep your Lightning components secure and isolated, but they do it in different ways. LWS is generally the preferred option now, building on what Salesforce learned from Lightning Locker. Join us to learn about Salesforce Lightning Locker vs. Lightning Web Security.
What is Salesforce Lightning Locker?
Salesforce Lightning Locker isolates components (both Aura and LWC) by running each in its own namespace. This stops them from messing with each other’s code, look, or data. It also encourages developers to write better JavaScript.
How Lightning Locker Keeps Things Safe:
Lightning Locker uses DOM Access Containment, meaning a component can only touch its own parts of the webpage. It also uses Secure Wrappers around things like window and document to control access, and Proxy Objects to manage how components interact with JavaScript objects, ensuring they only touch their own DOM elements. Plus, it limits the use of risky JavaScript features like eval().
Who Does Lightning Locker Apply To?
Lightning Locker was the default security for most Lightning components in older Salesforce orgs (created before Winter ’23, using API version9.0 or later).
What is Lightning Web Security?
Lightning Web Security (LWS), introduced in Spring ’22, uses namespace JavaScript sandboxes. Each component runs in its own isolated virtual space, managed by LWS, which controls what it can access. This separation is mostly invisible to the components, making it easy for them to work together even if they’re from different namespaces.
How Lightning Web Security Keeps Things Safe:
LWS uses API distortions to change how standard JavaScript features work, preventing unsafe actions and keeping code within its sandbox. These distortions filter content, clean up inputs, and manage property access to prevent unauthorized access1. LWS also keeps namespaces separate for things like global objects and cookies. For LWCs, it enforces a closed shadowRoot for better isolation.
Who Does Lightning Web Security Apply To?
LWS initially supported LWCs. Since Summer ’23, it’s available for both LWCs and Aura components in all Salesforce orgs. It’s the default for new orgs since Winter ’23 and is also used in Experience Cloud LWR sites.
Comparing the Core Ways They Isolate Components:
Lightning Locker uses Secure Wrappers and Proxy Objects, while LWS uses JavaScript Sandboxes and API Distortions. Locker’s wrapping can slow things down, but LWS’s sandboxing is generally faster. Both control DOM access, but LWS allows smoother interaction with global objects within its sandbox. LWS is a more modern and efficient approach.
How Do They Perform?
LWS generally performs better than Lightning Locker because it doesn’t use wrappers, and its sandbox execution is faster. LWS also resolves array handling performance issues seen in Locker. For many common tasks, LWS offers significant performance improvements.
The Journey to Lightning Web Security:
1. When Did It Arrive?
LWS was introduced in Spring ’22 for LWCs, with a gradual rollout starting in February 022. It became generally available for both LWCs and Aura in Summer ’23 and is the default for new orgs since Winter ’23.
2. Why Did Salesforce Introduce It?
LWS aims to make secure coding easier and is intended to replace Lightning Locker. It better prevents cross-namespace interference with fewer restrictions. LWS has better support for third-party libraries and custom elements, aligns with the latest JavaScript standards, and offers more robust isolation with easier global object interaction.
Pros and Cons: A Side-by-Side Look:
1. What’s Good and Not So Good About Lightning Locker:
- Pros: Basic security for older orgs, enforces DOM access control, controls global object access, needed for Lightning Out.
- Cons: Can be slower, restricts custom elements and third-party web components, potential issues with third-party libraries, array handling performance issues, blocks iframe content.
2. What’s Good and Not So Good About Lightning Web Security:
- Pros: Better performance, allows cross-namespace component use, secure global object interactions, allows iframe content access (same origin), supports custom elements and third-party web components in LWCs, better third-party library compatibility, compatible with evolving JavaScript, fine-grained blocking of unsafe behaviors.
- Cons: Lightning Out not supported, Aura component migration might need adjustments, potential minor performance variations in highly optimized code.
Key Differences at a Glance: Salesforce Lightning Locker vs. Lightning Web Security
| Feature/Aspect | Lightning Locker | Lightning Web Security |
| Core Isolation Mechanism | Secure Wrappers, Proxy Objects | JavaScript Sandboxes, API Distortions |
| Performance | Can introduce overhead | Generally improved |
| Third-Party Library Support | Potentially limited | Better support |
| Custom Element Support | Blocked | Supported in LWCs |
| Iframe Access | Blocked | Allowed (same origin) |
| Cross-Namespace Communication | Restricted | Allowed |
| Global Object Interaction | Through secure wrappers | Direct within sandbox |
| Lightning Out Support | Supported | Not Supported |
Thinking About Switching? Here’s What to Consider:
Salesforce’s Lightning Web Security (LWS) introduces several powerful tools to help developers enhance security, identify potential vulnerabilities, and debug issues efficiently. Below is an overview of three essential LWS tools:
1. LWS Distortion Viewer
Purpose: The LWS Distortion Viewer allows developers to inspect and analyze distortions applied to global objects and DOM APIs within a Lightning Web Security environment.
Key Features:
Displays a list of distorted APIs and objects, providing visibility into modifications introduced by LWS.Helps developers understand which methods, properties, and constructors are distorted to prevent security risks.
Usage:
You can view distortions applied by navigating to the LWS Distortion Viewer and selecting the desired APIs.Use this tool to detect unintended restrictions or unexpected behavior caused by distortions and modify your code accordingly.
2. LWS Console
Purpose: The LWS Console provides a developer-friendly interface for evaluating JavaScript expressions and debugging LWC code in the context of LWS.
Key Features:
Enables direct interaction with the LWC security layer, allowing real-time inspection and troubleshooting.Supports command execution and object exploration within the secure environment.
Usage:
Access the LWS Console to experiment with JavaScript commands and inspect LWC runtime behavior. Use the console to identify unexpected behaviors in distorted APIs, verify secure JavaScript execution, and debug inconsistencies between standard JavaScript and LWS-secured environments.
3. LWS Linting Tool
Purpose: The LWS Linting Tool identifies and flags potential LWS-specific security violations and coding errors before deployment.
Key Features:
Highlights issues where code might violate LWS constraints, ensuring compliance with security best practices.Provides detailed warnings and suggestions to address vulnerabilities, such as unsafe object access or improper DOM manipulation.
Usage:
Run the LWS Linting Tool to analyze your LWC code and receive detailed feedback on compliance. Integrate this tool into your CI/CD pipeline to prevent security vulnerabilities during the development lifecycle.
Wrapping Up and What We Recommend:
Lightning Locker and LWS offer different security approaches. LWS is the better choice for new projects and migrations due to its improved performance and support for modern web technology. If you use Lightning Out a lot, consider the implications. Always test in a sandbox first. LWS is a significant step forward for Salesforce client-side security, offering a more flexible and efficient way to build secure apps.
Sources
- https://developer.salesforce.com/docs/platform/lightning-components-security/guide/get-started-intro.html
- https://developer.salesforce.com/docs/component-library/tools/lws-console
