Overview of the Series
Part Two: Take the First Steps: Ways You Can Replace JS Buttons (coming soon)
Part Three: Your New Life With Lightning: Plan for the Future with the Actions Roadmap (coming soon)
In the final article of our blog series, we’ll discuss new features coming to Salesforce1 and Lightning Experience — such as Lightning Actions — that will provide you with an easier migration path.
One of the coolest benefits in Lightning Experience is that customers and partners can add their Lightning components on the record, home, and other pages in the Salesforce application. For example, a customer might choose to add a map component to their Account record pages, or a partner might provide a component for their AppExchange app that can be added to the Home page or an Opportunity record.
The use cases are quite vast, which is why customers and partners are very excited about Lightning Experience. However, without some safeguards, the components would have access to each other’s data, shared access to the window and event structures, and access to any client side API. This could allow a partner’s component for HIPAA compliance or financial information to be accessed by another component from a different source, when they are both on the same page. I think we can agree that this is problematic, and could lead to many security and regulatory issues.
When a website allows dynamic content, hackers can use XSS to inject their malicious client-side code into the web pages that are viewed by normal users. The hackers can then leverage the session and cookies from normal users to run scripts to extract data, log keystrokes, manipulate form entries, and even access APIs.
LockerService: Making Lightning Components More Secure
- XSS and similar security issues
- Unrestricted DOM access
- Calling undocumented/private APIs
- Cool new features like client-side API versioning
- Faster security review (AppExchange)
- Better JS development practices
- Easily updating security features and policies
- Use or manipulate values on a record BEFORE the save
- Validate fields — ensure values are populated and/or meet criteria
- Prefill values based on inputs in other fields
- Redirect to a Visualforce page based on input values
- Confirmation pop-up screens
- Create records w/ pre-populated values
- Trigger flows from Visual Workflow
- Callouts to Salesforce or external API
- 3rd party integration
- Mass actions on records in a list
- Feedback pop-up screens for users, directing methods and procedures