ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Load JavaScript Files from Third-Party Endpoints
Load Third-Party CSS in Lightning Components
Use CSS Outside Components
Running JavaScript in the Salesforce Domain
Expose Secret Data When Debugging
Store Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Use Sample Code in Production
Bypass Object-Level and Field-Level Access Settings
Bypass Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Secure Communication
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Pass the AppExchange Security Review
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Lightning LockerService Disabled

Lightning LockerService is a critical security feature for Lightning code. It provides component isolation that allows code from many sources to execute and interact using safe, standard APIs and event mechanisms. Enable Lightning Locker for AppExchange packages that contain Lightning components or applications.

Lightning LockerService is enabled for all custom Lightning web components. The service was activated for customers in the Summer ’17 release. Lightning LockerService isn’t enforced for components that use API version 39.0 and lower, which covers any component created before Summer ’17. When a component is set to at least API version 40.0, it’s enabled. New AppExchange security reviews and periodic re-reviews require components to be version 40.0 or higher so that Locker is enabled.

Metadata Example

In this component’s <AuraDefinitionBundle> metadata, the <apiVersion> field sets the API version to 39.0. LockerService is disabled for components that use API version 39.0 and lower.
In this component’s revised <AuraDefinitionBundle> metadata, the <apiVersion> field sets the API version to 40.0. LockerService is enforced for components that use API version 40.0 and higher.

For more information, read the Summer 2017 Release Notes and Security with Lightning Locker in the Lightning Web Components Developer Guide.