noimage

What’s New with Locker Service

If you’ve been using Salesforce for a while, you know that trust is one of our highest values. We want you to feel safe leveraging the Lightning Platform, even in the midst of scary computer security stories. That is why we developed Locker Service, and this blog post is going to help illustrate everything you need to know about the enhancements we’ve been making.

Why you need Locker Service

Computer security had a rough year. We witnessed data breaches at Uber and Equifax, to name just two incidents at large companies. Vulnerabilities labeled Spectre and Meltdown were found in Intel and AMD microprocessors. Google had to take down over 700,000 Android apps and Facebook is under FTC investigation over its handling of user data.

Each one of these businesses invests a tremendous amount of effort into security. Still, they make the news and face challenges because of fundamental changes in computing.

Specifically:

Barriers are disappearing between business entities, between office and mobile, and between hardware and software. Everything is available digitally using some process, somewhere in some system, because all valuable information eventually gets computerized.

The browser is our primary portal to this interconnected digital world. Although modern browsers evolve rapidly to fix security holes thanks to auto-update, several new security practices are still optional or even incomplete. That’s where Locker Service comes in.

Locker Service is a virtual browser that sits in front of the real browser to ensure safe code execution. It’s a layer that disables unsafe browser features or replaces them with a secure version.

Meltdown and Spectre can be exploited via JavaScript code in order to read anything that’s loaded into memory, including passwords. The exploits require clever use of a feature named SharedArrayBuffer .
Although some browsers have disabled SharedArrayBuffer by default, Locker Service ensures that it’s completely unavailable beginning Summer ‘18.

Trick: Use the Locker Service API (URL) viewer to quickly discover what features are supported.
If you are facing an issue with compatibility, check whether the API you need is listed in red (which means it’s not supported) or in orange (in that case, it’s supported but using a different behavior than the browser API).

Login sessions

Every time you log in to a website, a session is established so you don’t have to log in again for every page load. The browser usually stores sessions in cookies and all cookies are stored in a “cookie jar.” Locker Service protects the cookie jar from unauthorized use, but previously had to disable “unsafe-eval” with Content Security Policy (CSP) to make that protection effective.

Beginning with Summer ‘18, Locker Service provides a safe eval() and a safe Function() to improve compatibility with third-party code while maintaining full protection, and turning on CSP doesn’t disable those APIs anymore.

For example, templating engines can really improve the maintainability of a project when creating HTML. To accelerate the output, those engines often use Function() to produce a compiled version.

If your project depends directly on a templating engine (such as