Looking to take cloud app security to a new level, Salesforce is rolling out its LockerService architecture for its Lightning apps platform.
Lightning provides components for building multi-form-factor apps for deployment on Salesforce App Cloud. LockerService isolates individual components in their own containers and helps promote coding best practices, said Ryan Ellis, vice president of product management at Salesforce.
Salesforce's goals with LockerService include keeping application components from causing cross-site scripting (XSS) issues or other problems, preventing components from reading other components’ rendered data without restrictions, and stopping components from calling undocumented or private APIs.
With the LockerService DOM access containment feature, a component can only traverse the DOM and access elements created by that component. This prevents the "anti-pattern" of reaching into DOM elements owned by other components. Content security policy has also been tightened to eliminate XSS attacks by removing the
unsafe-eval keywords for inline scripts (script-src).
The architecture will be rolled out as a "critical update," Ellis said. "Critical updates give customers time to evaluate and test a change in their sandbox environments before enabling it in their production environment and is standard practice for us with deeper changes such as this one." Half of customers received LockerService last weekend as part of the Salesforce Summer '16 rollout, and the other half will get it this coming weekend.