2

Is there a good summary of where from Salesforce allow and does not allow calling out to 3rd party REST API's (assume header Access-Control-Allow-Origin: *).

Possible scenarios I can imagine:

Lightning component on a standard layout

Lightning component on a community page

Lightning component inside VF wrapper

Visualforce page inside standard layout

Visualforce page inside console page

Javascript buttons

I've seen people complain unable to call WebSockets from Lightning. Is that a strategic Salesforce's thing (all data should flow thru us and we are going to make sure you pay pretty penny for it (or lock your org if you do too many per second)) or more of a security thing (nothing can be trusted externally). If later, what are the options and workarounds?

Improve this question

1 Answer 1

Reset to default
0

Its a security measure .If you are familiar with CSP policy ,its the actual reason for currently blocking the XHR calls directly from the lightning component .

You can read more on CSP Security policy here.The primary vulnerability your app is secured is from XSS

If you take a look at the Content-Security-Policy header for your lightning app you will see that the policy rule for XHR requests (connect-src) is set to self.

The only way to connect to your Salesforce data is making callout via apex and surfacing the data to the lightning component .

Salesforce is implementing the Locker Service .Once this is in place future looks bright of supporting .But don't make purchasing decision on the forard looking statements and instead make decisions on the current state of the product .

Improve this answer
4
  • Thank you! I assume that is to prevent XSS injections, as they would be harder (not impossible) to do via Apex? What sort of vulnerabilities this prevent? Also, how does that relate to VF and console? Commented May 27, 2016 at 1:57
  • Yes XSS injections are prevented .Apex runs on salesforce server and Ideally if you use visualforce properly as documented salesforce takes care of security and preventing XSS .The getter ,setters and VF tags are supposed to be designed to encrypt transmission between client and server .But as time went we saw increased JS being added to VF without security considerations .With component framework I believe salesforce wants to enforce security right from beginning . Commented May 27, 2016 at 2:05
  • Check this article on how visualforce should be written to prevent XSS vulnerability developer.salesforce.com/page/… Commented May 27, 2016 at 2:14
  • Intrinsically, Apex does not prevent you from XSS completely, just makes it a little bit harder. Not sure how Locker Service is implemented, but is the idea that all interaction with data will be stopped? Or it will be only very defined scenarios, almost like Apex? Commented May 27, 2016 at 6:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.