FAQ-001135 - Lightning Web Components and JavaScript Security / Script Loading and Static Resources

Lightning-ready applications using custom JavaScript libraries must meet the following requirements: 1. **Static Resources**: JavaScript libraries must be stored in static resources within the package. Dynamically loading JavaScript files from third-party endpoints or CDNs isn't allowed, except for Salesforce-approved CDNs like Google Maps and Stripe. 2. **Namespace Sandbox**: All JavaScript code must operate within the namespace sandbox of the application. Executing JavaScript in the Salesforce domain (e.g., through custom buttons, homepage components, or S-controls) is prohibited. 3. **Secure Coding Practices**: Lightning components must sanitize user inputs and avoid unsafe attributes. Use secure filters and sanitization libraries stored in static resources. 4. **LockerService Compatibility**: Lightning applications must be written for API version 40 or later to ensure compatibility with LockerService, which enforces component isolation and secure interactions. 5. **Version Control**: The entire solution, including JavaScript libraries, must be version-controlled to ensure transparency and security during reviews. 6. **Security Compliance**: Avoid using JavaScript to bypass sharing rules, CRUD, or field-level security settings. These guidelines ensure compliance with Salesforce's security and functional standards.

The FAQ content is generally accurate and comprehensive. The main improvement made was changing "is not allowed" to "isn't allowed" to follow the conversational tone guidelines and use contractions. All existing points and information were preserved. Regarding security rules selected: - **AvoidAuraWithLockerDisabled**: Directly relates to point #4 about LockerService compatibility, which is explicitly mentioned as a requirement for Lightning applications. - **AvoidCreateElementScriptLinkTag** and **LoadJavaScriptHtmlScript/LoadJavaScriptIncludeScript**: These rules relate to points #1 and #2 about proper JavaScript loading practices and avoiding dynamic script loading from external sources. - **AvoidJavaScriptCustomObject**, **AvoidJavaScriptHomePageComponent**, and **AvoidSControls**: These directly correspond to point #2's prohibition on "executing JavaScript in the Salesforce domain (e.g., through custom buttons, homepage components, or S-controls)". - **ApexXSSFromEscapeFalse** and **AvoidUnescapedHtmlInAura**: These relate to point #3 about secure coding practices and input sanitization to prevent XSS vulnerabilities. - **ApexSharingViolations** and **ApexCRUDViolation**: These directly support point #6 about avoiding JavaScript that bypasses sharing rules, CRUD, or field-level security. - **AvoidOldSalesforceApiVersions**: This supports point #4's requirement for API version 40 or later for LockerService compatibility.