Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[YeurDreamin 2022] Harder, better, faster, stro...

Fabien Taillon
June 18, 2022
Technology
0
25

[YeurDreamin 2022] Harder, better, faster, stronger: forget Lightning Locker and move to Lightning Web Security

Tired of Lightning Locker limitations ? Want a faster environment for your lightning web components ? Lightning Web Security is the new security architecture, modeled to be faster and more compliant with web standards. Let’s see how it differs from Lightning Locker and what are the benefits. Also learn if your org is already suited for it or not and what should be done to avoid issues. You’re just one session away from moving to a better security architecture !

Fabien Taillon

June 18, 2022
Tweet

More Decks by Fabien Taillon

See All by Fabien Taillon
Enhance your Customer Support with Agentforce and Experience Cloud
fabientaillon
1
7
[Dreamforce 24] Dynamic LWC: With great power comes great responsibility
fabientaillon
0
9
[London's Calling 2024] Demystifying Cookies: a much easier topic than you think
fabientaillon
0
5
[Wir Sind Ohana 2024] Dynamic LWC: With great power comes great responsibility
fabientaillon
0
6
[CzechDreamin 2024] Demystifying Cookies: a much easier topic than you think
fabientaillon
0
5
[Albanian Dreamin 2024] Dynamic LWC: With great power comes great responsibility
fabientaillon
0
4
[World Tour Paris 2024] La French Touch', l'open-source premium pour Trailblazers
fabientaillon
0
3
[Cairo Dreamin 2024] Use the power of standard web components in Salesforce
fabientaillon
0
5
[YeurDreamin 2023] Bring data to your LWC without Apex using the GraphQL Wire Adapter
fabientaillon
0
85

Other Decks in Technology

See All in Technology
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
250
Terraform Stacks入門 #HashiTalks
msato
0
330
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
200
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
220
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
660
mikroBus HAT を用いた簡易ベアメタル開発
tarotene
0
330
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
160
私はこうやってマインドマップでテストすることを出す!
mineo_matsuya
0
330
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
190
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
370
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
180
Can We Measure Developer Productivity?
ewolff
1
120

Featured

See All Featured
Building Your Own Lightsaber
phodgson
103
6.1k
Designing for Performance
lara
604
68k
Being A Developer After 40
akosma
86
590k
Scaling GitHub
holman
458
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
We Have a Design System, Now What?
morganepeng
50
7.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
The Invisible Side of Design
smashingmag
297
50k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Designing Experiences People Love
moore
138
23k

Transcript

  1. Welcome to #YD22 Amsterdam

  2. Harder, better, faster, stronger: forget Lightning Locker and move to

    Lightning Web Security Fabien Taillon

  3. Fabien Taillon • 7x Salesforce MVP • CTO at Texeï

    • Paris Developer Group Leader • French Touch Dreamin team • Serial speaker • Not so serial blogger @FabienTaillon https://texei.com/blog Who am I

  4. At Classic time, all UI developments were done via Visualforce

    • Security was guaranteed by iframe and different domains Why Lightning Locker / Lightning Web Security https://xxxxx.my.salesforce.com https://xxx.vf.force.com iframe

  5. At Lightning time • No change regarding Visualforce and security

    and Visualforce • Lightning Components developments are in the same DOM as Salesforce + third party components Why Lightning Locker / Lightning Web Security https://xxx.lightning.force.com Salesforce component Salesforce component Salesforce component My component My component Third party component

  6. All components can access to everything from other namespace: DOM,

    APIs, cookies… Why Lightning Locker / Lightning Web Security https://xxx.lightning.force.com Salesforce component Salesforce component Salesforce component My component My component Third party component

  7. All components can access to everything from other namespace: DOM,

    APIs, cookies… Why Lightning Locker / Lightning Web Security https://xxx.lightning.force.com Salesforce component Salesforce component Salesforce component My component My component Third party component

  8. All components can access to everything from other namespace: DOM,

    APIs, cookies… Why Lightning Locker / Lightning Web Security https://xxx.lightning.force.com Salesforce component Salesforce component Salesforce component My component My component Third party component

  9. All components can access to everything from other namespace: DOM,

    APIs, cookies… Why Lightning Locker / Lightning Web Security https://xxx.lightning.force.com Salesforce component Salesforce component Salesforce component My component My component Third party component

  10. Not cool Why Lightning Locker / Lightning Web Security

  11. Lightning Locker / Lightning Web Security: • is a powerful

    security architecture for Lightning components. • enhances security by isolating Lightning components that belong to one namespace from components in a different namespace. • promotes best practices that improve the supportability of your code by only allowing access to supported APIs and eliminating access to non-published framework internals What are Lightning Locker / Lightning Web Security

  12. Lightning Locker / Lightning Web Security: • enables JavaScript strict

    mode • enforces CSP (Content Security Policy) • prevents access to JavaScript Global variables (Window, Document…) • prevents Prototype pollution What are Lightning Locker / Lightning Web Security

  13. Makes use of JavaScript Proxy. Instead of giving access to

    global scope, Lightning Components have access to a secure wrapper proxy: • Window → SecureWindow • Document → SecureDocument • Element → SecureElement • … → https://developer.salesforce.com/docs/atlas.en-us.214.0.lightning.meta/lightning/security_global_access.htm How does Lightning Locker works

  14. JavaScript Proxy demo How does Lightning Locker works

  15. SecureWindow, SecureDocument, SecureElement, etc are a replacement for the real

    elements, all standard APIs may not be available in the Secure version (especially new ones): • Window.BarcodeDetector • Window.Clipboard • … This may prevent your code or third party libraries to work. Everything is documented in the Locker API Viewer documentation: → https://developer.salesforce.com/docs/component-library/tools/locker-service-viewer Lightning Locker works, but…

  16. It’s slower, as every Secure wrapper is an extra overhead.

    The more calls to these APIs, the slower your component will be. This can be debugged and benchmarked in the Locker Console: → https://developer.salesforce.com/docs/component-library/tools/locker-service-console Performance impact example: → https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/security_locker_console_benchmark.htm Lightning Locker works, but…

  17. Worth noting, there is (of course) no support for JavaScript

    Proxy in Internet Explorer: Polyfill is used → Even slower on IE ! IE is retired and out of support since June 15, 2022 Lightning Locker works, but… https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/

  18. How does Lightning Web Security works Based on ShadowRealm: •

    web standard • Doesn’t override global objects with a wrapper (no overhead) • creates a new context for global objects (sandbox, or realm) • Use distortion: → https://developer.salesforce.com/docs/component-library/tools/lws-distortion-viewer

  19. How does Lightning Web Security works

  20. • Faster • Allows cross-namespace component use • Use distortion

    of APIs, so all of them are available (but may be distorted) • Standard ◦ Better support of standard DOM API ◦ Better support for third party libraries ◦ Will benefit from browsers optimisation Why it’s positive

  21. Only GA for LWC (not aura components). Salesforce recommends to:

    • activate it if you’re a new org or LWC only • test thoroughly if you have a mix of LWC and aura • don’t activate it if you’ve only have aura components → https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.security_lwsec_when What’s not working/need to be careful of

  22. Only GA for LWC (not aura components). • Beware of

    LWC only orgs where Aura may be needed after: ◦ List View Buttons ◦ Related List Buttons ◦ New / Edit override ◦ Lightning Out ◦ … • Today it’s still a polyfill if most browsers What’s not working/need to be careful of

  23. • Introducing ShadowRealm https://developer.salesforce.com/blogs/2022/04/introducing-shadowrealm • Workflow to Try Your LWCs

    with Lightning Web Security: https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.secur ity_lwsec_test_workflow • Lightning Web Security Console https://developer.salesforce.com/docs/component-library/tools/lws-console • Lightning Web Security Distortion Viewer https://developer.salesforce.com/docs/component-library/tools/lws-distortion-viewer • Lightning Web Security Basics Trailhead Badge https://trailhead.salesforce.com/content/learn/modules/lightning-web-security-basics Resources

  24. Q&A #YD22 Amsterdam