Remote Javascript Inclusion - Outsystems Security

Hi,

I am facing a security issue related to the Outsystems platform. I will briefly describe the situation: resources included from third party domains are used/executed in the security context of the invoking application and can, therefore, perform any action the application his own resources can perform. A malicious JavaScript could wreak all kinds of havoc, since it is in full control of the user his web browser. It could log user actions and keystrokes, embed malicious frames to websites hosting exploit packs, present the user a phishing or Trojan page, amongst many others.

Is there any possibility to host all the files (resources like JavaScript, CSS, HTML) in the server where codes are executed (the server in Outsystem’s network) rather than including it from a remote third-party/ domain? This makes sure that all resources are processed/executed in the context of a user's browser upon visiting the web application and that it originates from a trusted source, namely itself.

Thank you!

Hi Mihaela,

Is your environment able to provide those elements? You can include files in your Resources tab of the Module you're working on, and by choosing the Deploy to Target Directory option, they'll become available for use in your pages:

https://success.outsystems.com/Documentation/11/Developing_an_Application/Use_Data/Use_Resources

Afonso Carvalho wrote:

Hi Mihaela,

Is your environment able to provide those elements? You can include files in your Resources tab of the Module you're working on, and by choosing the Deploy to Target Directory option, they'll become available for use in your pages:

https://success.outsystems.com/Documentation/11/Developing_an_Application/Use_Data/Use_Resources

Thank you, Afonso Carvalho. For example, I have the following issue related to a HTTP response including a remotely hosted JavaScript file:  <script src='//cdnjs.cloudflare.com/ajax/libs/lodash.js/1.3.1/lodash.min.js'></script>. Do you have any idea if choosing the Deploy to Target Direction option the files are  hosted on the server in Outsystems's network or the local server?



If you want to include a copy of that JavaScript library in your Resources, it will reside in the location where you publish your Module - it might exist elsewhere if you're using more front-end servers.

I'm not sure I follow your distinction between the "server in the Outsystems network" or the "local server".