Lightning Locker Service

Lightning Locker Service is the powerful security architecture for Lightning components, it hances security by isolating individual Lightnin components in their own containers. Locker Service promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals.

Lightning Locker Service enforces the following security restrictions in our code:

  • JavaScript ES5 Strict ModeEnforcement

JavaScript ES5 Strict Mode is implicitly enabled. We don’t need to specify “use strict” in our code. Enforcement includes a declaration of variables with the var keyword and other Javascript coding best practices. The libraries that our components use must also work in strict mode.

  • DOM Access Containment

A component can only traverse the DOM and access elements created by that component. This behavior prevents the ani-pattern from reaching into DOM elements owned by other components.

  • Stricter Content Security Policy

Lightning Locker Service tightens CSP to eliminate the possibility of cross-site scripting attacks by removing the unsafe-inline and unsafe-eval keywords for inline scripts.

  • Restrictions to Global References

We can access intrinsic objects, such as Array. Locker Service provides secure versions for non-intrinsic objects, such as windows. The secure object versions automatically and seamlessly control access to the object and its properties.

  • Access to Supported JavaScript API Framework Methods Only

We can access published, supported JavaScript API framework methods only. These methods are published in the reference doc app at https://yourDomain.lightning.force.com/auradocs/reference.app. Previously, unsupported methods were accessible, which exposed your code to the risk of breaking when unsupported methods were changed or removed.

Lightning Locker Service is enabled by default for all Lightning Components with API version 40.0 or higher. Locker Service isn’t enabled for components with API versions 39.0 and lower. To enable Lightning Locker Service for a component, set the API version to 40.0.