In this post, I’ll be talking about how Lightning Web Security can make developers’ lives easier on the Salesforce Platform when building Lightning Web Components and how it replaces the Lightning Locker Service.
What is Lightning Locker Service?
Lightning Locker is the default security architecture for Lightning components (Aura/LWC). It primarily isolates components in one namespace from interacting with other components from a different namespace and promotes best practices when coding.
How is this implemented?
- with strict mode, you need to attach variables to the window object to make them global
- DOM access containment – you cannot traverse a DOM from a different namespace to prevent anti-pattern
- Secure wrappers – restricted use of global objects instead Locker Service uses wrappers for example – window to SecureWindow
- eval functionality is limited in scope
- eval() function is supported to enable use of third-party libraries
- can’t access local variables within the scope in which it’s called
- MIME Types permitted
- Locker permits some MIME types, sanitizes some and blocks the rest
Why is Locker Service challenging?
What is Lightning Web Security?
- it is based on modeled on the TC39 standards
- and noticeable improvements as there is no need for wrappers
- eval() is no longer blocked but still prevented from running malicious code.
- components access to the DOM is controlled by the browser via the Shadow DOM. Locker service only allowed access to elements they create.
- No longer filter DOM requests, unlike in Locker Service where arrays passed between components cause performance problems because of filtering.
How to Enable LWS?
Test it out first in a sandbox and test if your components are working well. Ideally no refactor is needed.
- From Setup, in the Quick Find box, enter Session, and then select Session Settings.
- On the Session Settings page, select Use Lightning Web Security for Lightning web components and save.
- Clear your browser cache after enabling or disabling Lightning Web Security to ensure the correct files are loaded in the browser. If you suspect that the correct security architecture is not in effect, see Delayed Enabling or Disabling of LWS.
Stay tuned for more posts around this topic.