Salesforce puts Lightning in a tightly sealed bottle

The LockerService architecture isolates components in their own containers and stops them from calling undocumented or private APIs

Salesforce puts Lightning in a tightly sealed bottle
skeeze via Pixabay

Looking to take cloud app security to a new level, Salesforce is rolling out its LockerService architecture for its Lightning apps platform.

Lightning provides components for building multi-form-factor apps for deployment on Salesforce App Cloud. LockerService isolates individual components in their own containers and helps promote coding best practices, said Ryan Ellis, vice president of product management at Salesforce.

Salesforce's goals with LockerService include keeping application components from causing cross-site scripting (XSS) issues or other problems, preventing components from reading other components’ rendered data without restrictions, and stopping components from calling undocumented or private APIs.

LockerService enforces JavaScript ECMAScript 5 Strict Mode without developers having to specify it. Enforcement covers declaration of variables with the var keyword and other JavaScript coding best practices. Libraries used by components must also run in strict mode.

With the LockerService DOM access containment feature, a component can only traverse the DOM and access elements created by that component. This prevents the "anti-pattern" of reaching into DOM elements owned by other components. Content security policy has also been tightened to eliminate XSS attacks by removing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src).

LockerService features client-side API versioning, a faster security review, more secure JavaScript development practices, and the ability to run JavaScript frameworks like React and Angular.

The architecture will be rolled out as a "critical update," Ellis said. "Critical updates give customers time to evaluate and test a change in their sandbox environments before enabling it in their production environment and is standard practice for us with deeper changes such as this one." Half of customers received LockerService last weekend as part of the Salesforce Summer '16 rollout, and the other half will get it this coming weekend.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform