Salesforce.com:Developing Secure Code in Salesforce Lightning

Developing Secure Code

The Salesforce Aura framework uses Content Security Policy (CSP) to control the source of content that can be loaded on a page. The LockerService architectural layer enhances security by isolating individual Lightning components in their own containers and enforcing coding best practices.
The Lightning Component framework uses Content Security Policy (CSP) to control the source of content that can be loaded on a page.
CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-​Security-​Policy HTTP header recommended by the W3C.
The framework’s CSP covers these resources:
JavaScript LibrariesAll JavaScript libraries must be uploaded to Salesforce static resources. For more information, see Using External JavaScript Libraries.HTTPS Connections for ResourcesAll external fonts, images, frames, and CSS must use an HTTPS URL.
You can change the CSP policy and expand access to third-party resources by adding CSP Trusted Sites.

Content Security Policy and LockerService

LockerService tightens CSP to eliminate the possibility of cross-site scripting attacks. These CSP changes are only enforced in sandboxes and Developer Edition orgs.
The stricter CSP disallows the unsafe-inline and unsafe-eval keywords for inline scripts (script-src). Ensure that your code and third-party libraries you use adhere to these rules by removing all calls using eval() or inline JavaScript code execution. You might have to update your third-party libraries to modern versions that don’t depend on unsafe-inline or unsafe-eval.
LockerService is a critical update for this release. LockerService will be automatically activated for all orgs in the Summer ’17 release. Before the Summer ’17 release, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org.

Browser Support

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com
 
 

Comments

Post a Comment

Popular posts from this blog

Salesforce.com: Expression Operators in Salesforce lightning Components

Image
Generally In every component implementation we have a need to  change the UI conditionally, or show/hide a section/column based on certain conditions. We need simple ways to do this instead of having every handler in code. Below are key operators and their syntax to handle any such situation Ternary Operator This expression uses the ternary operator to conditionally output one of two values dependent on a condition. 1 <a class="{!v.location == '/active' ? 'selected' : ''}" href="#/active">Active</a> The {!v.location == ‘/active’ ? ‘selected’ : ”} expression conditionally sets the class attribute of an HTML <a> tag, by checking whether the location attribute is set to /active . If true, the expression sets class to selected . Using <aura:if> for Conditional Markup <aura:attribute name="edit" type="Boolean" default="true"/> <aura:if isTrue=...
Read more

Custom Calendar on VisualForce Page

Image
There has always been a need to have a calendar component for visualforce page this kind of component can be used in events booking,events calendar,scheduling requirements and all the places where we need to show events by dates. This can be easily implemented using jquery,fullcalendar plugin and json in apex. So what we need here is 1.) Fullcalandar plugin  Download 2.) A custom object with start dates and end dates for events 3.) Apex class to pull data from object and convert that into json using json.serailze First we have to upload the fullcalendar lib to static resource and then we have to create a visualforce page with below code. The important thing is "JSONOFLIST" which is just json created from list of records by using JSONOFLIST = JSON.serialize(LIST OF SOBJECT); It will give you a calendar with items highlited on page Source : http://www.saasanalogy.com/custom-calendar-on-visualforce-page/
Read more

Salesforce.com: Scheduled Apex

The Apex Scheduler lets you delay execution so that you can run Apex classes at a specified time. This is ideal for daily or weekly maintenance tasks using Batch Apex. To take advantage of the scheduler, write an Apex class that implements the Schedulable interface, and then schedule it for execution on a specific schedule. Scheduled Apex Syntax To invoke Apex classes to run at specific times, first implement the Schedulable interface for the class. Then, schedule an instance of the class to run at a specific time using the System.schedule method. global class SomeClass implements Schedulable { global void execute(SchedulableContext ctx) { // awesome code here } } The class implements the Schedulable interface and must implement the only method that this interface contains, which is the execute method. The parameter of this method is a SchedulableContext object. After a class has been scheduled, a CronTrigger object is created that represents the scheduled job. It p...
Read more