If you’ve been using Salesforce for a while, you know that trust is one of our highest values. We want you to feel safe leveraging the Lightning Platform, even in the midst of scary computer security stories. That is why we developed Lightning Locker, and this blog post is going to help illustrate everything you need to know about the enhancements we’ve been making.
Why you need Lightning Locker
Computer security had a rough year. We witnessed data breaches at Uber and Equifax, to name just two incidents at large companies. Vulnerabilities labeled Spectre and Meltdown were found in Intel and AMD microprocessors. Google had to take down over 700,000 Android apps and Facebook is under FTC investigation over its handling of user data.
Each one of these businesses invests a tremendous amount of effort into security. Still, they make the news and face challenges because of fundamental changes in computing.
- Barriers are disappearing between business entities, between office and mobile, and between hardware and software.
- Everything is available digitally using some process, somewhere in some system, because all valuable information eventually gets computerized.
The browser is our primary portal to this interconnected digital world. Although modern browsers evolve rapidly to fix security holes thanks to auto-update, several new security practices are still optional or even incomplete. That’s where Lightning Locker comes in.
Lightning Locker is a virtual browser that sits in front of the real browser to ensure safe code execution. It’s a layer that disables unsafe browser features or replaces them with a secure version.
Although some browsers have disabled
SharedArrayBuffer by default, Lightning Locker ensures that it’s completely unavailable beginning Summer ‘18.
Trick: Use the Lightning Locker API (URL) viewer to quickly discover what features are supported. If you are facing an issue with compatibility, check whether the API you need is listed in red (which means it’s not supported) or in orange (in that case, it’s supported but using a different behavior than the browser API).
Every time you log in to a website, a session is established so you don’t have to log in again for every page load. The browser usually stores sessions in cookies and all cookies are stored in a “cookie jar.” Lightning Locker protects the cookie jar from unauthorized use, but previously had to disable “unsafe-eval” with Content Security Policy (CSP) to make that protection effective.
Beginning with Summer ‘18, Lightning Locker provides a safe
eval() and a safe
Function() to improve compatibility with third-party code while maintaining full protection, and turning on CSP doesn’t disable those APIs anymore.
For example, templating engines can really improve the maintainability of a project when creating HTML. To accelerate the output, those engines often use
Function() to produce a compiled version.
If your project depends directly on a templating engine (such as the one provided by the hugely popular underscore.js and lodash.js), or indirectly via another dependency (such as Backbone.js), Lightning Locker has you covered. Secure
Function() will ensure everything runs normally, while at the same time preventing access to other namespaces or to the Lightning framework itself.
Cross-site scripting (a.k.a. XSS)
Most websites are built with dynamic pages that can display all sorts of data provided by users, such as posts and comments. An attacker could submit malicious code within a post and if the website developer doesn’t filter out that code, it then executes on the browser of every visitor to the site. That’s XSS in a nutshell.
XSS is by far the most common type of vulnerability found on websites. Metrics show that XSS accounts for 50 percent of all vulnerabilities, and that number has remained stable for years. Filters must be added manually in every framework, library, and component — each time data is passed to the web page — and that complexity explains why the problem isn’t going away, and why we need more robust solutions.
Lightning Locker adds an extra layer of safety by filtering all HTML to help prevent the injection of malicious code. Regardless, Salesforce still recommends that you activate Stricter CSP to protect against XSS.
Lightning Locker provides various mechanisms that increase the security of all code running in the browser. Lightning Locker is constantly evolving and adapting to meet new security challenges.
Because secure code can run everywhere, making your code compatible with Lightning Locker means your solutions are more likely to be accepted by customers and used in more scenarios. You can count on Lightning Locker to do some of the heavy lifting required to secure your code, which allows you to focus on delivering the features that are unique to your solution.
If you would like more information about any of these features be sure to check out the following:
- Lightning Components Winter ‘18 Release Notes
- TrailheaDX’18 Video: Avoid Common Security Mistakes
- Trailhead Module: Security for Lightning Components
About the author
Jean-Francois Paradis is a Software Engineering Architect at Salesforce.