So, what’s the frightening Lightning Locker Service? It is a combination of security features that have been implemented for you in order your Lightning Components are secure, and other components don’t break yours! So, no frightening at all, right?
With Locker Service active, we have to bear in mind:
- Locker Service enforces CSP, which is a security standard to protect agains XSS, clickjacking and other code injection attacks. This means that insecure functions, as eval, won’t be compliant with Locker Service.
Known all of this, let’s see if the Components I have developed so far for my blog work with Locker Service active!
Second, I have done the same test with the components I created in this Lightning Components Attributes post. This time, when I try to render the container component I receive this error:
However, if I deactivate the Locker Service critical update, which is possible in summer 16, the component works like a charm.
If I open Lightning Inspector for debugging, I find that the error is saying to me that “key” is not defined in line 20 of my renderer function:
Here we have the problem! I was defining key as a global var, which remember, is not allowed, according to what we said before. Finally, fixing the line as follows solves the problem:
for (var key in ratingsByProduct)
How can you check that you code is Locker Service compliant? Salesforce has provided us a Lightning CLI tool, that can help with that.
- Summer 16:
- Automatically turned on in brand new summer 16 orgs
- Also turned on in older orgs without Lightning Components
- Critical update for orgs with at least one Lightning Component
- Can be toggled, either directly or by request
- Winter 17
- Turned on in all orgs
- Spring 17
- CSP fully enabled