Lightning Components Developer Guide

What is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Creating Apps
App Overview
Designing App UI
Creating App Templates
Developing Secure Code
Content Security Policy Overview
What is LockerService?
Writing Secure Code
Salesforce Lightning CLI
Styling Apps
Using JavaScript
JavaScript Cookbook
Using Apex
Lightning Data Service (Developer Preview)
Lightning Container (Developer Preview)
Controlling Access
Using Object-Oriented Development
Using the AppCache
Distributing Applications and Components
Debugging
Fixing Performance Warnings
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

What is LockerService?

LockerService is a powerful security architecture for Lightning components. LockerService enhances security by isolating individual Lightning components in their own namespace. LockerService also promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals.

What Does LockerService Affect?

LockerService enforces security in:

  • Lightning Experience
  • Salesforce1
  • Template-based Communities
  • Standalone apps that you create (for example, myApp.app)

LockerService enforces security in Lightning Out. However, the CSP restrictions of LockerService aren’t enforced in Lightning Out. Lightning Out allows you to run Lightning components in a container outside of Lightning apps, such as Lightning components in Visualforce and Visualforce-based communities. The container defines the CSP rules.

LockerService doesn’t affect Salesforce Classic, Visualforce-based communities, Sales Console, or Service Console, except for usage of Lightning components in Visualforce in these contexts.

Graceful Degradation for Unsupported Browsers

LockerService relies on some basic JavaScript features in the browser: support for strict mode and the Map object. These requirements align with the supported browsers for Lightning Experience. If a browser doesn’t meet the requirements, LockerService can’t enforce all its security features.

LockerService provides a graceful degradation for unsupported browsers by disabling LockerService features that aren’t supported by a browser. However, if you use an unsupported browser, you’re likely to encounter issues that won’t be fixed. Make your life easier and your browsing experience more secure by using a supported browser.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

LockerService Requirements

LockerService enforces several security features in your code.
JavaScript ES5 Strict Mode Enforcement
JavaScript ES5 strict mode is implicitly enabled. You don’t need to specify "use strict" in your code.
JavaScript strict mode makes code more robust and supportable. For example, it throws some errors that would otherwise be suppressed.
A few common stumbling points when using strict mode are:
  • You must declare variables with the var keyword.
  • You must explicitly attach a variable to the window object to make the variable available outside a library. For more information, see Sharing JavaScript Code Across Components.
  • The libraries that your components use must also work in strict mode.
For more information about JavaScript strict mode, see the Mozilla Developer Network.
DOM Access Containment
A component can only traverse the DOM and access elements created by a component in the same namespace. This behavior prevents the anti-pattern of reaching into DOM elements owned by components in another namespace.

It’s an anti-pattern for any component to “reach into” another component, regardless of namespace. LockerService only prevents cross-namespace access. Your good judgment should prevent cross-component access within your own namespace as it makes components tightly coupled and more likely to break.

Note

For more information, see DOM Access Containment.
Restrictions to Global References
LockerService applies restrictions to global references. You can access intrinsic objects, such as Array. LockerService provides secure versions of non-intrinsic objects, such as window. The secure object versions automatically and seamlessly control access to the object and its properties.
Use the Salesforce Lightning CLI tool to scan your code for Lightning-specific issues.
Access to Supported JavaScript API Framework Methods Only
You can access published, supported JavaScript API framework methods only. These methods are published in the reference doc app at https://yourDomain.lightning.force.com/auradocs/reference.app. Previously, unsupported methods were accessible, which exposed your code to the risk of breaking when unsupported methods were changed or removed.

The preceding security features are enforced when LockerService is active in your org. LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Summer ’17 release. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

The LockerService critical update also enforces a stricter CSP in sandboxes and Developer Edition orgs.
Stricter Content Security Policy (CSP)
LockerService tightens CSP to eliminate the possibility of cross-site scripting attacks. These CSP changes are only enforced in sandboxes and Developer Edition orgs.
The stricter CSP disallows the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and third-party libraries you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Note

Activate the Critical Update

LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Summer ’17 release. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

To activate this critical update:

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Enable Lightning LockerService Security”, click Activate.
  3. Refresh your browser page to proceed with LockerService enabled.

We recommend that you test LockerService in a sandbox or a Developer Edition org to verify correct behavior of your components before enabling it in your production org.

Components Installed from Managed Packages

To control whether LockerService is enforced for components installed from a managed package:

  1. From Setup, enter Lightning Components in the Quick Find box, and then select Lightning Components.
  2. Select the Enable LockerService for Managed Packages checkbox to enforce LockerService for components installed from a managed package.

    The checkbox is only visible when the critical update is activated.

    Note

If you deselect the Enable LockerService for Managed Packages checkbox, LockerService is not enforced for components installed from a managed package. Components that you create in your org still run with enforcement of LockerService restrictions.

Default Settings for New Orgs

Here’s a table summarizing when LockerService is enforced for new orgs.

Components created in your org are in the default namespace, c, or in your org’s namespace, if you created a namespace.

Component Source Developer Edition All Other Supported Editions
Created in your org Yes Yes
Managed package Yes No

You can change LockerService enforcement by toggling the critical update (for components created in your org) or the Enable LockerService for Managed Packages checkbox (for components from managed packages).