Select the Locker API Version for an Org
Select the API version used by Lightning Locker across your org. The default is the current API version, which includes the latest Locker security enhancements. Select an earlier API version when custom components only comply with Locker in an older version. When components become compliant with the current security enhancements, you can change the setting to the current API version.
After your sandbox org updates to a new Salesforce release, it’s possible that custom components conflict with Lightning Locker security enhancements. Check the web console for messages.
We recommend updating your custom components to comply with the latest Locker API version, but we know that updates can take some time. Your org could also depend on managed packages containing custom components that third-party developers must update. Set your org to use an older Locker API version to give developers time to update custom Lightning components and comply with Locker’s latest security enhancements.
Verify in a sandbox org that custom components perform correctly with the Locker API version set to the latest. Then you can change the Locker API version to the latest in your production org to take advantage of the latest security enhancements.
The Locker API version setting is first available in the Winter ’20 release. The earliest Locker API version you can select is 46.0, which enables the Locker features of the Summer ’19 release.
The Locker API version for the org affects all Lightning components used in the areas listed in What Does Lightning Locker Affect?.
The Locker API version for the org has no effect on Lightning web components when Lightning Web Security is enabled in the org.
Every Lightning web component has a configuration file with an apiVersion
. The component apiVersion
and the Locker API version use the same version number strategy to align with Salesforce releases. However, the org setting for Locker API version has no relation to the component’s apiVersion
. The Locker API version set in the org applies to all Lightning components, regardless of their apiVersion
setting.
If an Aura component's apiVersion
is set to 39.0, which disables Locker, the component isn't affected by the Locker API version setting for the org. Locker is still disabled in the component.
View the security changes in the API versions to help determine compatibility of your custom components.
Locker API Version | Security Changes | Description |
---|---|---|
53.0 and later | None | Lightning Locker changes in this release don’t impact custom components. |
52.0 | Prevent several potential mutation-based cross-site scripting (mXSS) vectors. | Lightning Locker tightened the sanitizing of markup to improve security. This change applies to all the API versions. You can’t roll back this change by selecting an earlier API version. |
51.0 | None | Lightning Locker changes in this release don’t impact custom components. |
50.0 | None | Lightning Locker changes in this release don’t impact custom components. |
49.0 | Restrict APIs used in $A.getCallback() | Lightning Locker wraps the $A.getCallback() function. JavaScript that is wrapped by $A.getCallback() must adhere to Locker’s security restrictions. See the Locker API Viewer for support status of JavaScript APIs in Lightning Locker. |
48.0 | Sanitize HTML inserted with execCommand | Lightning Locker sanitizes HTML that’s inserted using document.execCommand(insertHTML) to remove potentially malicious executable script content. |
47.0 | Reject import() expressions | Lightning Locker doesn't allow the import() expression because importing third-party code is a potential security risk. |
Restrict the name and id properties of an HTML element | Lightning Locker doesn't allow the name or id attribute to be set to property names that are reserved for the DOM. | |
46.0 | All Locker security features | Supports all Lightning Locker features since its introduction, when it was called LockerService. This includes all features in version 37.0 (Spring '16) through version 46.0 (Summer '19) releases. |
- From Setup, enter
Session
in the Quick Find box, and then select Session Settings. - In the Locker API Version section, for the Use security enhancements in API version field, select the API version.
- Click Save.
See Also