Lightning Components Developer Guide

What is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Creating Apps
App Overview
Designing App UI
Creating App Templates
Developing Secure Code
What is LockerService?
JavaScript ES5 Strict Mode Enforcement
DOM Access Containment
Secure Wrappers for Global References
JavaScript API for Secure Wrappers
Access to Supported JavaScript API Framework Methods Only
What Does LockerService Affect?
Disabling LockerService for a Component
Don’t Mix Component API Versions
LockerService Disabled for Unsupported Browsers
Content Security Policy Overview
Salesforce Lightning CLI
Styling Apps
Using JavaScript
JavaScript Cookbook
Using Apex
Lightning Data Service (Beta)
Lightning Container (Developer Preview)
Controlling Access
Using Object-Oriented Development
Using the AppCache
Distributing Applications and Components
Debugging
Fixing Performance Warnings
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Secure Wrappers for Global References

LockerService applies restrictions to global references. LockerService provides secure versions of non-intrinsic objects, such as window. For example, the secure version of window is SecureWindow. You can interact with a secure wrapper in the same way as you interact with the non-intrinsic object, but the secure wrappers filter access to the object and its properties. The secure wrappers expose a subset of the API of the underlying objects.

Here’s a list of the secure objects that you’ll most commonly encounter.

SecureAura
Secure wrapper for $A, which is the entry point for using the framework in JavaScript code.
SecureComponent
Secure wrapper for the Component object.
SecureComponentRef
SecureComponentRef is a subset of SecureComponent that provides the external API for a component in a different namespace.
When you’re in a controller or helper, you have access to a SecureComponent, essentially the this object. In other contexts when you’re working with a component, you get a SecureComponentRef instead if you reference a component in a different namespace. For example, if your markup includes a lightning:button and you call cmp.find("buttonAuraId"), you get a SecureComponentRef as lightning:button is in a different namespace from the component containing the button markup.
SecureDocument
Secure wrapper for the Document object, which represents the root node of the HTML document or page. The Document object is the entry point into the page’s content, which is the DOM tree.
SecureElement
Secure wrapper for the Element object, which represents an HTML element. SecureElement is wrapped in a Proxy object as a performance optimization so that its data can be lazily filtered when it’s accessed. The HTML element is represented by a Proxy object if you’re debugging in the browser console.
SecureObject
Secure wrapper for an object that is wrapped by LockerService. When you see a SecureObject, it typically means you don’t have access to the object so some properties aren’t available.
SecureWindow
Secure wrapper for the Window object, which represents a window containing a DOM document.

Example

Let’s look at a sample component that demonstrates some of the secure wrappers.

1<!--c:secureWrappers-->
2<aura:component >
3    <div id="myDiv" aura:id="div1">
4        <p>See how LockerService uses secure wrappers</p>
5    </div>
6    <lightning:button name="myButton" label="Peek in DOM"
7        aura:id="button1" onclick="{!c.peekInDom}"/>
8</aura:component>

The c:secureWrappers component creates a <div> HTML element and a <lightning:button> component.

Here’s the client-side controller that peeks around in the DOM.

1({ /* secureWrappersController.js */
2    peekInDom : function(cmp, event, helper) {
3        console.log("div1: ", cmp.find("div1").getElement());
4        
5        console.log("button1: ", cmp.find("button1"));
6        console.log("button name: ", event.getSource().get("v.name"));
7        // add debugger statement for inspection
8        // always remove this from production code
9        debugger;
10    }
11})

We use console.log() to look at the <div> element and the button. The <div> SecureElement is wrapped in a Proxy object as a performance optimization so that its data can be lazily filtered when it’s accessed.

We put a debugger statement in the code so that we could inspect the elements in the browser console.

Type these expressions into the browser console and look at the results.

1cmp
2cmp+""
3cmp.find("button1")
4cmp.find("button1")+""
5window
6window+""
7$A
8$A+""

We add an empty string to some expressions so that the object is converted to a String. You could also use the toString() method.

Here’s the output.Browser console output

Let’s examine some of the output.

cmp+""
Returns a SecureComponent object for cmp, which represents the c:secureWrappers component.
cmp.find("button1")+""
Returns a SecureComponentRef, which represents the external API for a component in a different namespace. In this example, the component is lightning:button.
window+""
Returns a SecureWindow object.
$A+""
Returns a SecureAura object.