Popular Topics

Topics

About

Policies

Our Network

More

Paul Krill
by
Editor at Large

Salesforce puts Lightning in a tightly sealed bottle

news
Jun 9, 20162 mins

The LockerService architecture isolates components in their own containers and stops them from calling undocumented or private APIs

Looking to take cloud app security to a new level, Salesforce is rolling out its LockerService architecture for its Lightning apps platform.

Lightning provides components for building multi-form-factor apps for deployment on Salesforce App Cloud. LockerService isolates individual components in their own containers and helps promote coding best practices, said Ryan Ellis, vice president of product management at Salesforce.

Salesforce’s goals with LockerService include keeping application components from causing cross-site scripting (XSS) issues or other problems, preventing components from reading other components’ rendered data without restrictions, and stopping components from calling undocumented or private APIs.

LockerService enforces JavaScript ECMAScript 5 Strict Mode without developers having to specify it. Enforcement covers declaration of variables with the var keyword and other JavaScript coding best practices. Libraries used by components must also run in strict mode.

With the LockerService DOM access containment feature, a component can only traverse the DOM and access elements created by that component. This prevents the “anti-pattern” of reaching into DOM elements owned by other components. Content security policy has also been tightened to eliminate XSS attacks by removing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src).

LockerService features client-side API versioning, a faster security review, more secure JavaScript development practices, and the ability to run JavaScript frameworks like React and Angular.

The architecture will be rolled out as a “critical update,” Ellis said. “Critical updates give customers time to evaluate and test a change in their sandbox environments before enabling it in their production environment and is standard practice for us with deeper changes such as this one.” Half of customers received LockerService last weekend as part of the Salesforce Summer ’16 rollout, and the other half will get it this coming weekend.

Software DevelopmentApplication SecurityCloud Security
Paul Krill
by
Editor at Large

Paul Krill is editor at large at InfoWorld. Paul has been covering computer technology as a news and feature reporter for more than 35 years, including 30 years at InfoWorld. He has specialized in coverage of software development tools and technologies since the 1990s, and he continues to lead InfoWorld’s news coverage of software development platforms including Java and .NET and programming languages including JavaScript, TypeScript, PHP, Python, Ruby, Rust, and Go. Long trusted as a reporter who prioritizes accuracy, integrity, and the best interests of readers, Paul is sought out by technology companies and industry organizations who want to reach InfoWorld’s audience of software developers and other information technology professionals. Paul has won a “Best Technology News Coverage” award from IDG.

More from this author

Show me more

news

New ‘StoatWaffle’ malware auto‑executes attacks on developers

By Shweta Sharma
3 mins
DeveloperMalwareSecurity
Image
analysis

When Windows 11 sneezes, Azure catches cold

By David Linthicum
7 mins
Microsoft AzureTechnology IndustryWindows Security
Image
feature

How to land a software development job in an AI-focused world

By Bob Violino
9 mins
Artificial IntelligenceCareersGenerative AI
Image
video

How to build desktop apps in Typescript with Electrobun

5 mins
Python
Image
video

Write and run assembly in Python with Copapy

5 mins
Python
Image
video

Run AI Models Locally on Your PC — No Cloud Required (LM Studio Guide)

5 mins
Python
Image