- LockerService Enforcement Is Dependent on the API Version
- LockerService is enforced for all Lightning components created after Summer ’17 (API version 40.0). LockerService isn’t enforced for components with API version 39.0 and lower, which covers any component created before Summer ’17.
- Stricter Content Security Policy (CSP) Restrictions Aren’t Enforced
- The stricter CSP restrictions, which mitigate the risk of cross-site scripting attacks, have been decoupled from LockerService and aren’t enforced in production orgs in Summer ’17. The stricter CSP changes are available only in sandbox and Developer Edition orgs and can be activated in two new critical updates, one for Communities and one for other contexts. The critical updates give you more time to update your code to work with stricter CSP.
LockerService Features Activated
LockerService enforces some security features and encourages best practices to make your code more supportable.
- A few common stumbling points when using strict mode are:
- You must declare variables with the var keyword.
- You must explicitly attach a variable to the window object to make the variable available outside a library.
- The libraries that your components use must also work in strict mode.
- DOM Access Containment
- A component can only traverse the DOM and access elements created by a component in the same namespace. This behavior prevents the anti-pattern of reaching into DOM elements owned by components in another namespace.
- Restrictions to Global References
- LockerService applies restrictions to global references. LockerService provides secure versions of non-intrinsic objects, such as window. For example, the secure version of window is SecureWindow. You can interact with a secure wrapper in the same way as you interact with the non-intrinsic object, but the secure wrappers filter access to the object and its properties. The secure wrappers expose a subset of the API of the underlying objects.
- The LockerService API Viewer shows the DOM APIs exposed by LockerService. The API Viewer app lists the API for SecureDocument, SecureElement, and SecureWindow.
- The current UI for the API Viewer is unpolished. Bear with us while we improve it. There’s a lot of information but the main takeaway is that a background green color means that the DOM method is supported.
Disabling LockerService for a Component
When a component is set to at least API version 40.0, which is the version for Summer ’17, LockerService is enabled. LockerService is disabled for any component created before Summer ’17 because these components have an API version less than 40.0. To disable LockerService for a component, set its API version to 39.0 or lower.
Component versioning enables you to associate a component with an API version. When you create a component, the default version is the latest API version. In Developer Console, click Bundle Version Settings in the right panel to set the component version.
LockerService is enabled for a component or an application purely based on component version. The containment hierarchy within an application or a component doesn’t factor into LockerService enforcement.
Let’s look at an example where Component A contains Component B. If Component A has API version 40.0, LockerService is enabled. If Component B has API version 39.0, LockerService is disabled for Component B even though it’s contained in a component, Component A, that has LockerService enabled.
For consistency and ease of debugging, we recommend that you set the same API version for all components in your app, when possible.
LockerService Setting for Managed Packages Has Been Removed
In Spring ’17, there was a separate setting to control whether LockerService was enforced for components installed from a managed package. This Enable LockerService for Managed Packages setting has been removed from the Lightning Components page under Setup.
Components installed from a managed package are treated the same as any other component and are subject to LockerService restrictions.
New AppExchange security reviews and periodic re-reviews will require components to be version 40.0 or higher so that LockerService is enabled. The version requirement ensures that components installed from managed packages follow the security best practices that are enforced by LockerService.
What Does LockerService Affect?
- Lightning Experience
- Lightning Communities
- Standalone apps that you create (for example, myApp.app)
- Any other app where you can add a custom Lightning component, such as Salesforce Console in Lightning Experience
- Lightning Out
- Salesforce Classic
- Visualforce-based communities
- Any apps for Salesforce Classic, such as Salesforce Console in Salesforce Classic