[SalesForce] Lightning components and locker service

I am trying to get a hang of what is accessible via locker and what elements are not. Following through threads in this forum, I realized there are some components that are genuinely locked by locker service and there are some that are user errors. I am having hard time isolating the noise from the real issues caused by locker service.

As per docs the golden rule seems to be locker will not allow access to any component that is not served from the same namespace. If this is the case why are people complaining about locker disabling access to Jquery, full calendar kinda external libraries when loading from static resource with locker service enabled?

eg:Cross-Origin Frame Error in Lightning Component embedded in Salesforce Console

Issues with running LockerService, d3, and Lightning components

The docs :https://developer.salesforce.com/blogs/developer-relations/2016/04/introducing-lockerservice-lightning-components.html
say

Can I use 3rd party libraries (React, Angular, etc) if running in
Locker?

**Yes, provided they are served from Static Resources and approved by security**.

1) Is there a comprehensive doc that shows what is not accessible and what is accessible when locker is enabled? I see a conditional clause of if approved by security, is there a list of what's approved by security?

2) With summer 17 locker will be enabled by default. Is there a global variable/method that will indicate if permission to access a DOM element is granted or not?

I am thinking along the line of iseditable(), isdeletable() in apex terms. If the component is denied access due to locker service is there an easy way to check

if(lockerprovidedaccess){
 console.log('Locker granted access, do all manipulations you need to');
}
else{
console.log('Locker disabled access');
}

Correct me if I am confusing myself with too many terminologies.

Best Answer

Too much for a comment but important to note:

Right now, there is a lot of noise. Other than the general rule it is hard to tell what is a bug, user error, or not allowed. I believe this is a consideration with the recent notification that the Enablement of Locker service this summer can now be rolled back by the admin rather than being permanent using API versioning

Received on 4-28-2017

In Summer '16, we introduced LockerService as a Critical Update. We planned to enable LockerService, including stricter Content Security Policy (CSP) in all orgs, starting with Summer '17. However, based on customer feedback, we have revised our rollout plan.

(Emphasis Mine)

With the revised rollout CSP has been decoupled from LockerService and won't be enforced in production orgs in Summer '17, and now you have the option disable LockerService by adjusting your API version.

LockerService Enforcement is Dependent on API Version LockerService is enabled for all Lightning components with API version 40.0 (the version for Summer '17) or higher. LockerService isn't enabled for components with API version 39.0 and lower, which covers any component created before Summer '17.

To enable LockerService for a component, set the API version to 40.0. You can disable LockerService for a component by setting the API version to 39.0 or lower for the component.

Component versioning enables you to associate a component with an API version. When you create a component, the default version is the latest API version. In Developer Console, click Bundle Version Settings in the right panel to set the component version.

Stricter CSP Restrictions Aren't Enforced Yet The stricter CSP restrictions, which mitigate the risk of cross-site scripting attacks, have been decoupled from LockerService and aren't enforced in production orgs in Summer '17. The stricter CSP changes are available only in sandboxes and Developer Edition orgs and can be activated in two new critical updates:

  • Enable Stricter Content Security Policy for Lightning Components
  • Enable Stricter Content Security Policy for Lightning Components in Communities This gives you more time to update your code to work with stricter CSP.
Related Topic