1 What is Lightning Locker Service?
2 Why there is a need for Lightning Locker?
-- Why do we say that browsers can be insecure?
-- What is malicious JavaScript?
-- What is cross-site scripting(XSS)?
3 How it impacts your Lightning Components?
4 How you can enable/disable Lightning Locker
5 Demo
Measures of Central Tendency: Mean, Median and Mode
Lightning Locker Services
1. Farmington Hills
Salesforce Developer User Group
Apex Hours
Lightning Locker Service
#SalesforceApexHours #FarmingtonHillsSFDCDug
Speaker
Date
Venue/Link
Manish Choudhari, Jigar ,Amit Chaudhary
Saturday, DEC 15, 2018 10:00 AM EST ( 8:30 PM IST )
2. #FarmingtonHillsSFDCdug #SalesforceApexHours
Apex Hours
Who am I ?
Jigar Shah
• Active on Salesforce Developer Community
• Blog at https://learnsfdcwithjigar.wordpress.com
• Salesforce Global Community Speaker
• ApexHours Co-organizer
• Follow us @jigarshah189 or @ApexHours
4. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
Agenda
• What is Lightning Locker Service?
• Why there is a need for Lightning Locker?
• Why do we say that browsers can be insecure?
• What is malicious JavaScript?
• What is cross-site scripting(XSS)?
• How it impacts your Lightning Components?
• How you can enable/disable Lightning Locker
• Demo
5. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
What is Lightning Locker Service?
Lightning Locker is a layer which sits in between your browser and DOM (document
object).
In other words, Lightning Locker is a virtual browser that allows only secure request to go
through and have access to real DOM.
This virtual browser sits in front of your unsafe real browser.
7. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
Why do we say that browsers can
be insecure?
Your browser is just an application to compile HTML and JavaScript code to generate
web pages. It is medium to interact with the end user.
The JavaScript should be smart enough to tell the difference between a hacker and
genuine user based on their interaction or activity with the webpage.
8. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
What is malicious JavaScript?
JavaScript code has access to your webpage and can perform tasks like getting
cookies information, sending HTTP request to the external server using XHR or getting
user sensitive data stored in forms.
These awesome features can be equally harmful if not being run by an authorized
person.
9. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
What is cross-site scripting(XSS)?
XSS is a malicious JavaScript code injected within a web-page by the end
user (hacker).
This code can perform malicious activity like get browser cookies, getting user’s
sessions info etc.
11. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
Injecting Via URL
In this case, the hacker replaces the URL parameters with a malicious JavaScript
code which will be executed by the webpage.
For example: http://sfdcfacts.com?postId=<script>alert('you are hacked');</script>
12. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
How it impacts your Lightning
Components?
Lightning Framework is a component-based framework, where multiple components
are placed together on the same page to give you a combined output. These
components can be:
• Base lightning component (lightning namespace like lightning:button)
• Other out of the box components (like force, ui, aura namespace)
• Custom components (You org’s custom components, generally from “c” namespace)
• Managed/Unmanaged package components
13. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
Security Vulnerabilities
• One component can traverse the DOM of another component. That means my
managed package component can read or traverse the DOM of my Org’s custom
components.
• Components can call private APIs.
• If strict mode is not enabled (without lightning locker), can lead to other security issues.
17. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
Advantages of Lightning Locker
Services
• A component cannot traverse the DOM of another component if another component belongs to a different
namespace. Example, we cannot read the DOM of lightning base components as they belong to “lightning”
namespace.
• Custom components do not have access to system APIs. Example, the custom component cannot access
$A.eventService API.
• The JavaScript strict mode is enabled by default and need not be specified specifically.
• You cannot have access to external JS libraries without uploading those in the static resource.
• Salesforce authored or Out of the box components will still have unrestricted access to DOM and APIs as these
components will run in System Mode.
18. Apex Hours
#FarmingtonHillsSFDCdug #SalesforceApexHours
How you can enable/disable
Lightning Locker
How to disable lightning locker?
You can disable lightning locker by changing the api version of lightning component
bundle to 39 or below.
How to enable lightning locker?
Lightning locker is automatically enabled for component bundles having api version 40
or above.