Also I would like to shift my development form Visualforce to Lightning. But API access seems to be a challenge: How to call a Salesforce REST URL from Lightning Component?
CSP is blocking the access and I’m not clear about the future perspective on this.
MartyC. found a workaround, which bypasses this limitation via APEX. But if my understanding of Dougs answer is correct, this path is open unintentionally and is likely to be closed in the future:
The lightning application separate domain also uses a special
lightning session ID that does not have direct API access. The fact
that you can currently provide indirect access to a fully API capable
session ID is a great example of why our content security policy is
currently so restrictive. Leaking an API said back to the client in a
have things locked down so tightly today.
So as a consequence Lightning Apps can best case try to get indirect API access. If the API access is turned off on purpose for security reasons, indirect mechanisms could also count as “hacks” and might be prevented later.
Are there any plans to open up Lightning API access in the near future?
We are still working out the details of this type of access – there are multiple reasons we have this in place today:
- security as discussed in my other posts/answers
- performance: direct access via arbitrary XHR client code cannot take advantage of the scarce resource (connections) management infrastructure provided by Lightning’s Action Service. We’ve had significant challenges in this area within Salesforce because our native container and web content do not share a common scarce resource layer
- offline support: the offline, occasionally connected, and locally served speed capabilities in S1 and other Lightning based applications is based on Action Service, Storage Service, and the upcoming Data Service. Going “around” these services is going to bite most projects at some point and we’re really trying to future proof things and save everyone a ton of grief
One thing we are looking into is providing a thin XHR proxy that is build on top of the Action Service, Storage Service, etc. I’ve personally been working on this concept as a plugin for AngularJs’s $http API – would let you use Angular’s $http API and get the Lightning Components Action Service benefits simultaneously! Same idea for Sencha Ext/Touch with a DataProxy implemented on top of ActionService.