ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Prevent Common Violations of Secure Coding Guidelines
Loading JavaScript Files from Third-Party Endpoints
Loading Third-Party CSS in Lightning Components
Using CSS Outside Components
Running JavaScript in the Salesforce Domain
Exposing Secret Data When Debugging
Storing Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Using Sample Code in Production
Bypassing Object-Level and Field-Level Access Settings
Bypassing Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Partner Licensing Platform (Developer Preview)
Manage Features in First-Generation Managed Packages
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Loading JavaScript Files from Third-Party Endpoints

Avoid dynamically loading third-party JavaScript files from content delivery networks (CDNs). Instead, load the code from the static resources folder of your package.
Dynamically loading third-party JavaScript files from CDNs or other third parties isn’t permitted for two reasons.
  • You must version your entire solution with a package version ID so that there’s a well-defined product to review and track. If your solution dynamically loads code from third-party endpoints, the externally managed code can change without the package version ID changing. The administrator and the Salesforce security review team aren’t made aware of the change.

    Salesforce can’t ensure that the third-party code continues to safeguard against the latest security vulnerabilities. To ensure that the code is subject to package version control, dynamically load the code from the static resources folder of your package. You can’t change packaged code without changing the package version ID. Plus, version ID changes signal to administrators and the AppExchange security team that the code changed.

  • Dynamically loading code from a third-party endpoint grants that endpoint the ability to inject code into any Salesforce org in which the package is installed. Only dynamically load code from Salesforce approved CDNs, where Salesforce manages the code, rather than the partner.
At a high level, the solution is:
  1. Save third-party JavaScript files in static resources.
  2. Add the resources to your solution package.
  3. Load each JavaScript file from a $Resource URL.

Visualforce Example

These code snippets depict the security violation and how to fix it in Apex and for Lightning components in Aura. This Visualforce code isn’t secure because jQuery is loaded from a third-party source.

1<apex:includescript value="https://code.jquery.com/jquery-3.2.1.min.js"/>
This Visualforce code is secure because it loads a version of jQuery from the static resources folder of your package using a $Resource URL.
1<apex:includeScript value="{! $Resource.jQuery }"/>

Aura Example

This Aura component code isn’t secure because jQuery is directly loaded from a third-party source.

1<aura:component>
2   <ltng:require afterScriptsLoaded="{!c.initializeUI}"
3   scripts="https://code.jquery.com/jquery-2.2.0.min.js”/>
4<aura:component>

This Aura component code is secure because jQuery is loaded from the solution package and referenced as a static resource using a $Resource URL.

1<aura:component>
2   <ltng:require afterScriptsLoaded="{!c.initializeUI}"
3   scripts="{!$Resource.jsLibraries + '/jsLibOne.js'}"/>
4<aura:component>