Lightning Web Security

Lightning Web Security is designed to make it easier for your components to use secure coding practices. Lightning Locker has been the default security architecture for all Lightning components. Lightning Web Security (LWS) is replacing Lightning Locker for Lightning components. LWS for Lightning web components and Aura components is generally available.

Lightning Web Security is modeled after the latest TC39 standards to provide innovative usable security for any UI component. This approach enables teams to safely use code from third parties without fear of threats such as cross-site scripting (XSS) attacks. The result is a more secure way to control the execution of code within the UI layer without forcing developers to jump through hoops or abandon desired functionality.

The good news is that this technology doesn’t require refactoring of your LWC code because your code already abides by the security practices required by Lightning Locker. Most existing Lightning web components just work in this new architecture.

Even better news is you have the option to refactor your code to let your components take advantage of the new freedoms that this technology enables. Your components run in an isolated JavaScript environment dedicated to your namespace, but they can import components and modules from other namespaces as if they’re all running in the same environment. The namespace isolation is transparent to the components because the architecture takes care of it seamlessly for you. As a result, some of the restrictions that your components observe when running in Lightning Locker aren’t necessary in Lightning Web Security.

We call these isolated environments JavaScript sandboxes. Each namespace has a dedicated JavaScript sandbox. The architecture manages the virtual interaction of components that are running in different JavaScript sandboxes.

See Also

• Salesforce Developers Blog: What ISV Partners Need to Know About Lightning Web Security