Hi
Will Kendo UI Scheduler work within Salesforce LockerService?
LockerService Isolation
LockerService is the primary and preferred isolation mechanism for the Lightning Component Framework. LockerService wraps standard objects like window, document, and element inside a secure version of these objects (SecureWindow, SecureDocument and SecureElement) as a way to control access to APIs and regions of the DOM. When components are loaded, they are provided with the secure wrappers (secureWindow and secureDocument) in lieu of the standard objects (window and document). When a component invokes a method on the document or window object, the secure wrapper can apply appropriate security restrictions. For example, access to the DOM of another component will be:
- Granted if the other component is in the same namespace
- Denied if the other component is in a different namespace
In addition to providing a sophisticated namespace-based access control mechanism, LockerService enforces a series of rules to further avoid security exploits:
- JavaScript ES5 strict mode is automatically enabled. Libraries that do not support strict mode will not work with LockerService.
- Content Security Policy (CSP). unsafe-eval and unsafe-inline are disallowed. Libraries using eval() or inline JavaScript code execution will not work with LockerService.
The rules enforced by LockerService are recognized as industry best practices. However some libraries may not yet work with these restrictions enabled. In that case, we recommend you ask the library author to support strict mode and CSP. In the meantime, you can use the alternative Lightning Container Component isolation described below.
LockerService Advantages
- No iframe. Components live in the same DOM (better performance)
- Straightforward, natural communication between components
- Cohesive UI
- Eliminates DOM scraping vulnerabilities
- Mitigates the impact of developer mistakes such as the lack of proper escaping
- Cross-site scripting (XSS) and template injection are no longer possible
- Eliminate server-side action invocation/spoofing
LockerService Limitations
- Non-compliant libraries will not work with LockerService
https://developer.salesforce.com/blogs/developer-relations/2017/02/lockerservice-lightning-container-third-party-libraries-lightning-components.html
6 Answers, 1 is accepted
I am afraid that no tests are performed in LockerService environment and we cannot grantee the proper behavior of our widgets. However, as you mentioned that the DOM is the same - there should be no issue in the usage of our widgets.
Regards,
Nencho
Progress Telerik
Rank 1
Hello Nencho;
I am in a similar situation as Robert. The issue with Salesforce Locker Service, is that they have created their own "secure" version of various built-in JavaScript objects (SecureWindow, SecureElement etc.) They severely limit (if not entirely block) most forms of DOM manipulation. Salesforce has provided a test environment ( https://developer.salesforce.com/docs/component-library/tools/locker-service-console ) where you can paste JavaScript code and see if it works in Locker Service. Most of my tests have resulted in errors so far, because even jQuery has some limitations that are blocked by Locker Service.
We are currently revising the referenced environment, in order to evaluate the case. However, as you mentioned that even jQuery is blocked in the environment, we will probably be with tied hands. I will update you in this thread, after the research.
Regards,
Nencho
Progress Telerik
Gord, your observations are correct. The jQuery library is not supported in Salesforce LockerService Isolation. As the Kendo UI library is build on top of jQuery and depends on jQuery, the Kendo UI widgets are not supported in Salesforce LockerService Isolation.
Regards,
Ianko
Progress Telerik
Rank 1
Hi Praveen,
As the lightning components do not support jQuery, any jQuery-based library cannot be supported as well.
Regards,
Ianko
Progress Telerik