UNPKG

@locker/eslint-plugin-locker

Version:

Lightning Web Security ESLint rules

github.com/salesforce-experience-platform-emu/locker

salesforce-experience-platform-emu/locker

30 lines (17 loc) 2.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Distorted HTML{IFrame|Script}Element#src Setter (distorted-html-iframe-script-element-src-setter) For security the `HTML{IFrame|Script}Element#src` setter is distorted by Lightning Web Security. <!-- START generated embed: @locker/distortion/src/HTMLIFrameElement/docs/src-setter.md --> ## HTMLIFrameElement.prototype.src setter The [`HTMLIFrameElement.prototype.src`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/src) property reflects the HTML `referrerpolicy` attribute of the `<iframe>` element defining which referrer is sent when fetching the resource. The `src` value is a string that reflects the `src` HTML attribute, containing the address of the content to be embedded. Lightning Web Security restricts the `src` attribute to values that use the `http://`, `https://`, and `about:blank` schemes, or relative urls. URL schemes like `javascript://` aren't allowed. Lightning Web Security disallows access to URL endpoints containing `"/aura"` and `"/webruntime"` because they are part of the Lightning Component framework. ### Distorted Behavior This distortion throws an exception for values that don't sanitize to `http://`, `https://`, and `about:blank` schemes, or relative urls. If set to a same-origin url, the iframe will be sandboxed. This distortion also examines the `hostname` and the `pathname` of the URL. If there's a match to a disallowed endpoint, it throws an exception. <!-- END generated embed, please keep comment --> <!-- START generated embed: @locker/distortion/src/HTMLScriptElement/docs/src-setter.md --> ## HTMLScriptElement.prototype.src setter [`HTMLScriptElement.prototype.src`](https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement) property is a `DOMString` representing the URL of an external script. It reflects the `src` attribute of the `script` element specifying the URL to an external script. To ensure that JavaScript code loaded through a `script` element runs in the sandbox, Lightning Web Security evaluates the source text in the same sandbox before the browser evaluates it. This prevents the native behavior of the `script` element from triggering. ### Distorted Behavior This distortion prevents a script from running before LWS can evaluate it. <!-- END generated embed, please keep comment -->