Lightning Components Developer Guide

What is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Creating Apps
App Overview
Designing App UI
Creating App Templates
Developing Secure Code
Content Security Policy Overview
LockerService Rules for Writing Secure Code
Salesforce Lightning CLI
Styling Apps
Using JavaScript
JavaScript Cookbook
Using Apex
Controlling Access
Using Object-Oriented Development
Caching with Storage Service
Using the AppCache
Distributing Applications and Components
Debugging
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

LockerService Rules for Writing Secure Code

LockerService is a powerful security architecture for Lightning components. LockerService enhances security by isolating individual Lightning components in their own containers. LockerService also promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals.

LockerService Requirements

LockerService enforces several security features in your code.
JavaScript ES5 Strict Mode Enforcement
JavaScript ES5 strict mode is implicitly enabled. You don't need to specify "use strict" in your code. Enforcement includes declaration of variables with the var keyword and other JavaScript coding best practices. The libraries that your components use must also work in strict mode.
DOM Access Containment
A component can only traverse the DOM and access elements created by that component. This behavior prevents the anti-pattern of reaching into DOM elements owned by other components.
Restrictions to Global References
LockerService applies restrictions to global references. You can access intrinsic objects, such as Array. LockerService provides secure versions of non-intrinsic objects, such as window. The secure object versions automatically and seamlessly control access to the object and its properties.
Use the Salesforce Lightning CLI tool to scan your code for Lightning-specific issues.
Access to Supported JavaScript API Framework Methods Only
You can access published, supported JavaScript API framework methods only. These methods are published in the reference doc app at https://yourDomain.lightning.force.com/auradocs/reference.app. Previously, unsupported methods were accessible, which exposed your code to the risk of breaking when unsupported methods were changed or removed.

The preceding security features are enforced when LockerService is active in your org. LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Spring ’17 release. Before the Spring ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

In a future release, LockerService will be extended to cover additional security features.
Stricter Content Security Policy (CSP)
LockerService will tighten CSP to eliminate the possibility of cross-site scripting attacks by disallowing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). As a best practice, eliminate use of these keywords in your code, and update third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

These CSP changes aren’t enforced by LockerService currently, but it’s worth planning ahead. The Salesforce Lightning CLI tool reports issues that are enforced by LockerService today, as well as issues that aren’t enforced today, but which are planned to be enforced in the future.

Don’t Use instanceof

When LockerService is enabled, the instanceof operator is unreliable due to the potential presence of multiple windows or frames. To determine a variable type, use typeof or a standard JavaScript method, such as Array.isArray(), instead.

Activate the Critical Update

LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Spring ’17 release. Before the Spring ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

To activate this critical update:

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Lightning LockerService Security”, click Activate.
  3. Refresh your browser page to proceed with LockerService enabled.

LockerService is automatically enabled for:

  • New orgs created after the Summer ’16 release
  • All existing orgs with no custom Lightning components

If you don’t see this critical update in your org, LockerService has been automatically enabled and can’t be disabled. Automatic enablement occurs within 24 hours after the release.

You can disable LockerService in a Developer Edition org created after the Summer ’16 release. We recommend that you test LockerService in a Developer Edition org to verify correct behavior of your components before enabling it in your production org.

Note

Components Installed from Managed Packages

If the critical update is not visible, there is an exception for this release for components installed from a managed package. These components continue to run without enforcement of LockerService restrictions.

If the critical update isn’t visible, components that you create in your org run with enforcement of LockerService restrictions. Components created in your org are in the default namespace, c, or in your org’s namespace, if you created a namespace.

This exception is just for this release. When LockerService is enabled for all orgs, it will be enforced for all Lightning components.

Here’s a table summarizing when LockerService is enforced.

Component Source Critical Update Visible and Not Activated Critical Update Visible and Activated Critical Update Not Visible
Managed package No Yes No
Created in your org No Yes Yes