Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lightning Locker Services

1,383 views

Published on

1 What is Lightning Locker Service?
2 Why there is a need for Lightning Locker?
-- Why do we say that browsers can be insecure?
-- What is malicious JavaScript?
-- What is cross-site scripting(XSS)?
3 How it impacts your Lightning Components?
4 How you can enable/disable Lightning Locker
5 Demo

Published in: Education
  • If u need a hand in making your writing assignments - visit ⇒ www.WritePaper.info ⇐ for more detailed information.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Writing a good research paper isn't easy and it's the fruit of hard work. For help you can check writing expert. Check out, please ⇒ www.HelpWriting.net ⇐ I think they are the best
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Lightning Locker Services

  1. 1. Farmington Hills Salesforce Developer User Group Apex Hours Lightning Locker Service #SalesforceApexHours #FarmingtonHillsSFDCDug Speaker Date Venue/Link Manish Choudhari, Jigar ,Amit Chaudhary Saturday, DEC 15, 2018 10:00 AM EST ( 8:30 PM IST )
  2. 2. #FarmingtonHillsSFDCdug #SalesforceApexHours Apex Hours Who am I ? Jigar Shah • Active on Salesforce Developer Community • Blog at https://learnsfdcwithjigar.wordpress.com • Salesforce Global Community Speaker • ApexHours Co-organizer • Follow us @jigarshah189 or @ApexHours
  3. 3. Our Speaker Manish Choudhari 14x Certified Salesforce Developer, Salesforce.com Blogger & Author – http://sfdcfacts.com Youtube – https://youtube.com/SFDCFacts Follow me @manish_sfdc #SalesforceApexHours #FarmingtonHillsSFDCDug
  4. 4. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Agenda • What is Lightning Locker Service? • Why there is a need for Lightning Locker? • Why do we say that browsers can be insecure? • What is malicious JavaScript? • What is cross-site scripting(XSS)? • How it impacts your Lightning Components? • How you can enable/disable Lightning Locker • Demo
  5. 5. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours What is Lightning Locker Service? Lightning Locker is a layer which sits in between your browser and DOM (document object). In other words, Lightning Locker is a virtual browser that allows only secure request to go through and have access to real DOM. This virtual browser sits in front of your unsafe real browser.
  6. 6. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Why there is a need for Lightning Locker?
  7. 7. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Why do we say that browsers can be insecure? Your browser is just an application to compile HTML and JavaScript code to generate web pages. It is medium to interact with the end user. The JavaScript should be smart enough to tell the difference between a hacker and genuine user based on their interaction or activity with the webpage.
  8. 8. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours What is malicious JavaScript? JavaScript code has access to your webpage and can perform tasks like getting cookies information, sending HTTP request to the external server using XHR or getting user sensitive data stored in forms. These awesome features can be equally harmful if not being run by an authorized person.
  9. 9. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours What is cross-site scripting(XSS)? XSS is a malicious JavaScript code injected within a web-page by the end user (hacker). This code can perform malicious activity like get browser cookies, getting user’s sessions info etc.
  10. 10. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Injecting Via Form In this case, the hacker needs to identify an input element where he can paste his malicious JavaScript code.
  11. 11. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Injecting Via URL In this case, the hacker replaces the URL parameters with a malicious JavaScript code which will be executed by the webpage. For example: http://sfdcfacts.com?postId=<script>alert('you are hacked');</script>
  12. 12. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours How it impacts your Lightning Components? Lightning Framework is a component-based framework, where multiple components are placed together on the same page to give you a combined output. These components can be: • Base lightning component (lightning namespace like lightning:button) • Other out of the box components (like force, ui, aura namespace) • Custom components (You org’s custom components, generally from “c” namespace) • Managed/Unmanaged package components
  13. 13. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Security Vulnerabilities • One component can traverse the DOM of another component. That means my managed package component can read or traverse the DOM of my Org’s custom components. • Components can call private APIs. • If strict mode is not enabled (without lightning locker), can lead to other security issues.
  14. 14. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Example
  15. 15. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Dom Structure(Without Lightning Locker)
  16. 16. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Dom Structure(With Lightning Locker)
  17. 17. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Advantages of Lightning Locker Services • A component cannot traverse the DOM of another component if another component belongs to a different namespace. Example, we cannot read the DOM of lightning base components as they belong to “lightning” namespace. • Custom components do not have access to system APIs. Example, the custom component cannot access $A.eventService API. • The JavaScript strict mode is enabled by default and need not be specified specifically. • You cannot have access to external JS libraries without uploading those in the static resource. • Salesforce authored or Out of the box components will still have unrestricted access to DOM and APIs as these components will run in System Mode.
  18. 18. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours How you can enable/disable Lightning Locker How to disable lightning locker? You can disable lightning locker by changing the api version of lightning component bundle to 39 or below. How to enable lightning locker? Lightning locker is automatically enabled for component bundles having api version 40 or above.
  19. 19. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Demo
  20. 20. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Q&A
  21. 21. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Reference Resources http://sfdcfacts.com/lightning/why-there-is-a-need-for-lightning-locker-lightning- locker-services-part-1/ http://sfdcfacts.com/lightning/lightning-locker-explained-with-example-lightning- locker-services-part-2/ https://youtu.be/UgzQBVEVvfg
  22. 22. Apex Hours #FarmingtonHillsSFDCdug #SalesforceApexHours Follow us #SalesforceApexHours @ApexHours https://trailblazercommunitygroups.com/farmingto n-mi-developers-group/ https://www.youtube.com/channel/UChTdRj6Yfw qhR_WEFepkcJw/videos https://www.facebook.com/SalesforceApexHours

×