Lightning Aura Components Developer Guide

What Is the Lightning Component Framework?
Quick Start
Creating Components
Using Components
Communicating with Events
Communicating Across the DOM with Lightning Message Service
Creating Apps
Styling Apps
Developing Secure Code
What is Lightning Locker?
JavaScript Strict Mode Enforcement
DOM Access Containment
Secure Wrappers
eval() Function is Limited by Lightning Locker
MIME Types Permitted
Access to Supported JavaScript API Framework Methods Only
What Does Lightning Locker Affect?
Lightning Locker Tools
Select the Locker API Version for an Org
Disable Lightning Locker for a Component
Don’t Mix Component API Versions
Lightning Locker Disabled for Unsupported Browsers
Content Security Policy Overview
Using JavaScript
Working with Salesforce Data
Testing Components with Lightning Testing Service
Debugging
Performance
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Select the Locker API Version for an Org

Select the API version used by Lightning Locker across your org. The default is the current API version, which includes the latest Locker security enhancements. Select an earlier API version when custom components only comply with Locker in an older version. When components become compliant with the current security enhancements, you can change the setting to the current API version.

We recommend updating your custom components to comply with the latest version, but we know that it can take some time. Your org could also depend on managed packages that third-party developers must update. Set Lightning Locker to use an older API version to give developers time to update their custom Lightning components and comply with Locker’s latest security enhancements.

The Locker API version setting is first available in the Winter ’20 release. The earliest Locker API version you can select is 46.0, which enables the Locker features of the Summer ’19 release.

Note

Verify in sandbox orgs that custom components perform correctly with the Locker API version set to the latest. Then you can change the Locker API version to the latest in your production orgs to take advantage of the latest security enhancements.

Where the Locker API Version Is Used

Changing the Locker API version for the org affects all Lightning components used in the areas listed in What Does Lightning Locker Affect?. However, it doesn’t affect the Salesforce API version in components that set apiVersion in their configuration files. The Locker API version isn’t the same as the Salesforce API version. They use the same version number to indicate alignment with the same Salesforce release. The org setting for Locker API version can’t override the component’s minimum required Salesforce API version.

If a component’s apiVersion is set to 39.0 to disable Locker, the component is not affected by the Locker API version setting for the org. Locker is still disabled in the component.

Note

Locker API Version Changes

View the security changes in the API versions to help determine compatibility of your custom components.

Locker API Version Security Changes Description
50.0 None Lightning Locker changes in this release don’t impact custom components.
49.0 Restrict APIs used in $A.getCallback() Lightning Locker wraps the $A.getCallback() function. JavaScript that is wrapped by $A.getCallback() must adhere to Locker’s security restrictions. See the Locker API Viewer for support status of JavaScript APIs in Lightning Locker.
48.0 Sanitize HTML inserted with execCommand Lightning Locker sanitizes HTML that’s inserted using document.execCommand(insertHTML) to remove potentially malicious executable script content.
47.0 Reject import() expressions Lightning Locker doesn't allow the import() expression because importing third-party code is a potential security risk.
Restrict the name and id properties of a HTML element Lightning Locker doesn't allow the name or id attribute to be set to property names that are reserved for the DOM.
46.0 All Locker security features Supports all Lightning Locker features since its introduction, when it was called LockerService. This includes all features in version 37.0 (Spring '16) through version 46.0 (Summer '19) releases.

Change the Locker API Version for Your Org

  1. From Setup, enter Session in the Quick Find box, and then select Session Settings.
  2. In the Locker API Version section, for the Use security enhancements in API version field, select the API version.
  3. Click Save.