Lightning Locker Services

Farmington Hills
Salesforce Developer User Group
Apex Hours
Lightning Locker Service
#SalesforceApexHours #FarmingtonHillsSFDCDug
Speaker
Date
Venue/Link
Manish Choudhari, Jigar ,Amit Chaudhary
Saturday, DEC 15, 2018 10:00 AM EST ( 8:30 PM IST )

#FarmingtonHillsSFDCdug #SalesforceApexHours
Apex Hours
Who am I ?
Jigar Shah
• Active on Salesforce Developer Community
• Blog at https://learnsfdcwithjigar.wordpress.com
• Salesforce Global Community Speaker
• ApexHours Co-organizer
• Follow us @jigarshah189 or @ApexHours

Our Speaker
Manish Choudhari
14x Certified Salesforce Developer, Salesforce.com
Blogger & Author – http://sfdcfacts.com
Youtube – https://youtube.com/SFDCFacts
Follow me @manish_sfdc
#SalesforceApexHours #FarmingtonHillsSFDCDug

Apex Hours
Agenda
• What is Lightning Locker Service?
• Why there is a need for Lightning Locker?
• Why do we say that browsers can be insecure?
• What is malicious JavaScript?
• What is cross-site scripting(XSS)?
• How it impacts your Lightning Components?
• How you can enable/disable Lightning Locker
• Demo

Apex Hours
What is Lightning Locker Service?
Lightning Locker is a layer which sits in between your browser and DOM (document
object).
In other words, Lightning Locker is a virtual browser that allows only secure request to go
through and have access to real DOM.
This virtual browser sits in front of your unsafe real browser.

Apex Hours
Why there is a need for Lightning
Locker?

Apex Hours
Why do we say that browsers can
be insecure?
Your browser is just an application to compile HTML and JavaScript code to generate
web pages. It is medium to interact with the end user.
The JavaScript should be smart enough to tell the difference between a hacker and
genuine user based on their interaction or activity with the webpage.

Apex Hours
What is malicious JavaScript?
JavaScript code has access to your webpage and can perform tasks like getting
cookies information, sending HTTP request to the external server using XHR or getting
user sensitive data stored in forms.
These awesome features can be equally harmful if not being run by an authorized
person.

Apex Hours
What is cross-site scripting(XSS)?
XSS is a malicious JavaScript code injected within a web-page by the end
user (hacker).
This code can perform malicious activity like get browser cookies, getting user’s
sessions info etc.

Apex Hours
Injecting Via Form
In this case, the hacker needs to identify an input element where he can paste his
malicious JavaScript code.

Apex Hours
Injecting Via URL
In this case, the hacker replaces the URL parameters with a malicious JavaScript
code which will be executed by the webpage.
For example: http://sfdcfacts.com?postId=<script>alert('you are hacked');</script>

Apex Hours
How it impacts your Lightning
Components?
Lightning Framework is a component-based framework, where multiple components
are placed together on the same page to give you a combined output. These
components can be:
• Base lightning component (lightning namespace like lightning:button)
• Other out of the box components (like force, ui, aura namespace)
• Custom components (You org’s custom components, generally from “c” namespace)
• Managed/Unmanaged package components

Apex Hours
Security Vulnerabilities
• One component can traverse the DOM of another component. That means my
managed package component can read or traverse the DOM of my Org’s custom
components.
• Components can call private APIs.
• If strict mode is not enabled (without lightning locker), can lead to other security issues.

Apex Hours
Example

Apex Hours
Dom Structure(Without Lightning
Locker)

Apex Hours
Dom Structure(With Lightning
Locker)

Apex Hours
Advantages of Lightning Locker
Services
• A component cannot traverse the DOM of another component if another component belongs to a different
namespace. Example, we cannot read the DOM of lightning base components as they belong to “lightning”
namespace.
• Custom components do not have access to system APIs. Example, the custom component cannot access
$A.eventService API.
• The JavaScript strict mode is enabled by default and need not be specified specifically.
• You cannot have access to external JS libraries without uploading those in the static resource.
• Salesforce authored or Out of the box components will still have unrestricted access to DOM and APIs as these
components will run in System Mode.

Apex Hours
How you can enable/disable
Lightning Locker
How to disable lightning locker?
You can disable lightning locker by changing the api version of lightning component
bundle to 39 or below.
How to enable lightning locker?
Lightning locker is automatically enabled for component bundles having api version 40
or above.

Apex Hours
Demo

Apex Hours
Q&A

Apex Hours
Reference Resources
http://sfdcfacts.com/lightning/why-there-is-a-need-for-lightning-locker-lightning-
locker-services-part-1/
http://sfdcfacts.com/lightning/lightning-locker-explained-with-example-lightning-
locker-services-part-2/
https://youtu.be/UgzQBVEVvfg

Apex Hours
Follow us
#SalesforceApexHours @ApexHours
https://trailblazercommunitygroups.com/farmingto
n-mi-developers-group/
https://www.youtube.com/channel/UChTdRj6Yfw
qhR_WEFepkcJw/videos
https://www.facebook.com/SalesforceApexHours

Lightning Locker Services

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Lightning Locker Services

Ähnlich wie Lightning Locker Services (20)

Mehr von Amit Chaudhary

Mehr von Amit Chaudhary (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Lightning Locker Services