Salesforce puts Lightning in a tightly sealed bottle
Lightning provides components for building multi-form-factor apps for deployment on Salesforce App Cloud. LockerService isolates individual components in their own containers and helps promote coding best practices, said Ryan Ellis, executive vice president of product management at Salesforce.
Salesforce's goals with LockerService include keeping application components from causing cross-site scripting (XSS) issues or other problems, preventing components from reading other components’ rendered data without restrictions, and stopping components from calling undocumented or private APIs.
LockerService enforces JavaScript ECMAScript 5 Strict Mode without developers having to specify it. Enforcement covers declaration of variables with the var keyword and other JavaScript coding best practices. Libraries used by components must also run in strict mode.
With the LockerService DOM access containment feature, a component can only traverse the DOM and access elements created by that component. This prevents the "anti-pattern" of reaching into DOM elements owned by other components. Content security policy has also been tightened to eliminate XSS attacks by removing the unsafe-inline and unsafe-eval keywords for inline scripts (script-src).
LockerService features client-side API versioning, a faster security review, more secure JavaScript development practices, and the ability to run JavaScript frameworks like React and Angular.
The architecture will be rolled out as a "critical update," Ellis said. "Critical updates give customers time to evaluate and test a change in their sandbox environments before enabling it in their production environment and is standard practice for us with deeper changes such as this one." Half of customers received LockerService last weekend as part of the Salesforce Summer '16 rollout, and the other half will get it this coming weekend.