@locker/eslint-plugin-locker

Version:

Lightning Web Security ESLint rules

github.com/salesforce-experience-platform-emu/locker

salesforce-experience-platform-emu/locker

30 lines (17 loc) • 2.03 kB

Markdown

# Distorted {XMLHttpRequest|Window}#open (distorted-xml-http-request-window-open) For security `{XMLHttpRequest|Window}#open` is distorted by Lightning Web Security.  ## XMLHttpRequest.prototype.open The [`XMLHttpRequest.prototype.open()`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/open) method initializes a newly-created request, or re-initializes an existing one. Lightning Web Security disallows access to URL endpoints containing `"/aura"` and `"/webruntime"` because they are part of the Lightning Component framework. ### Distorted Behavior This distortion examines the `hostname` and the `pathname` of the URL. If there's a match to a disallowed endpoint, it throws an exception.   ## window.open The [`window.open()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) method loads the specified resource into a new or existing browsing context with the specified name. If the name doesn't exist, then a new browsing context is opened in a new tab or a new window, and the specified resource is loaded into it. This new browsing context isn’t sandboxed properly and malicious code can access system mode, so Lightning Web Security distorts the `window` object returned. ### Distorted Behavior The returned `window` object has the same distortions applied to it as the originating sandbox. `eval`, `Function`, `setInterval` and `setTimeout` are blocked. If the target argument is "_blank", an empty string, or the name of a browsing context that is not the current browsing context, Lightning Web Security checks the url of the new window against the intended url. If those values don't match, the intended url is enforced. In some cases, this can result in two requests being made to the specified url.