What is the impact of the Release Update: “Enable Secure Static Resources for Lightning Components”? (due 2020-11-29)

On the Release Update page in the setup (/lightning/setup/ReleaseUpdates/home) I found this

Enable Secure Static Resources for Lightning Components COMPLETE STEPS
BY: 29.11.2020 TEST RUN SUPPORTED To improve security, this update
serves all static resources from the Visualforce domain instead of the
Lightning domain.

What is changing?

To improve security, this update serves all static
resources from the Visualforce domain instead of the Lightning domain.
This change affects Aura and Lightning web components. We recommend
that you test this update in a sandbox org to verify correct behavior
before enabling it in your production org.

What improvements can I see?

This update improves security by serving
static resource from the Visualforce domain instead of the lightning
domain. This change prevents a script included in a static resource
from accessing the document in the lightning domain due to the
same-origin security policy.

How is my org impacted?

This update serves static resources from the
Visualforce domain instead of the lightning domain. A script included
in a static resources can’t access the document in the lightning
domain due to the same-origin security policy.

The crucial part here is “can’t” access the document. My first reflex is to assume the word document means DOM (Document Object Model). Salesforce has done a lot to make it hard to access the DOM in the past because of security concerns. Central point is their locker service. To some degree I understand that, but in most parts an accessible DOM is the only ticket to use JS frameworks and existing powerful HTML/JS components, like charts, UI elements and 3D visualization tools.

We have several Aura Components using API Version 36.0 to avoid locker service. Also we use a lot of jQuery and other JS-Libraries to access the DOM. These are for instance

Does this “security update” mean, that all our Aura Components will break on 2020-11-29?

If this would be the case, I also can not see any workaround to prevent it.

Does it mean, that we are forced back to Vanilla JavaScript an the few libraries, which are allowed by Salesforce?

Answer

Enable Secure Static Resources for Lightning Components has been postponed indefinitely, as per the Summer 21 release notes:

This release update has been postponed indefinitely while we change the implementation to reduce customer impact. The release update won’t be enforced in its present form. Don’t enable it.

Unless Salesforce changes their mind in the next few weeks leading up to release (which I very much doubt), you should be okay for now, and we’ll probably get more info later about what the impact will ultimately be as they work on the new implementation.

UPDATE: Still postponed indefinitely as of Spring 22

Attribution
Source : Link , Question Author : Uwe Heim , Answer Author : Victor Lockwood

Leave a Comment