Monday, 6 July 2020

Security with Lightning Locker

A) Javascript Strict mode Enforcement

Don't need to specify "use strict" in your code.

Lightning locker implicitly enables javascript strict mode everywhere Javascript strict mode makes code more secure ,robust and supportable.

1.Variables(var,let and Constant) must be declare before use.
2.To share code you must export/import variables and functions from/to modules.
3.The libraries you use must also work in strict mode.

B) DOM Access Containment

Lightning web components can't use window or document global properties to query DOM.

C) Secure Wrappers

Lightning Locker restricts the use of global objects by wrapping it in a secure version
of the object.

LockerService wraps standard objects like window,document and element inside 
a secure version of these objects(SecureWindow,SecureDocument and SecureElement)
as a way to control access to APIs and regions of the DOM.

When components are loaded, they are provided with the secure wrappers(secureWindow and secureDocument) in instead of the standard objects(window and document).

When a component invokes a method on the document or window object, the secure wrapper can apply appropriate security restrictions.


Locker Service API Viewer

Secure Document
Secure Element
Secure Window

D) Restricted access to Salesforce Global variables

Blocks access to some global javascript objects that are available to other salesforce features such as $A,Aura ,sfdc and sforce

E)Lightning Locker Disabled for Unsupported Browsers

Lightning Locker is enabled in the supported browsers for Lightning Experience, 
except for IE11. Lightning Locker is disabled for IE11. We recommend using supported 
browsers other than IE11 for enhanced security.

F) Arrays Proxied When Passed to Child Components

Avoid passing large arrays of objects more than one level down. For example, pass an array from parent to child but no further.Divide your data into multiple smaller arrays in the parent component.

G) Content Security Policy (W3C Standard)

1.All javascript libraries must be uploaded to salesforce static resources.
2.All external fonts,images,frames and CSS must use an HTTPS URL.
3.Script tags can't be used to load javascript.
4.Event handlers in HTML such as onClick,onChange,etc. can't use inline javascript.
4.CSP policy violations are logged in the browser's developer console.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)