Sp-dev-docs: Security best practice - don't load js files from CDNs

Created on 2 May 2020  路  3Comments  路  Source: SharePoint/sp-dev-docs

Category

  • [ ] Question
  • [ ] Typo
  • [x] Additional article idea

Additional article idea

With reference to dev/sp-add-ins/complete-basic-operations-using-javascript-library-code-in-sharepoint there is a bad practice being given as an example i.e.

It is not good security practice to load .js files from a CDN because the contents of the .js files are not within the application developers control being loaded directly from the internet they could be compromised.

Wouldn't it be better to give an example local site assets location for the loaded files instead?

other answered question
Source
picture jeremyjee

Most helpful comment

Thank you for your question. I wouldn't say using CDNs is a _bad practice_. CDNs are still the most widely accepted way of serving up cached client side assets in web development across the world. Of course, I always recommend serving files from reputable CDNs. However, the use of CDNs and possible security concerns (if one became compromised) vary by organization/individual and if you feel uncomfortable using a CDN... by all means, you don't have to use them.

A quick note about that CDN being referenced. It is owned and operated by Microsoft. If you don't feel confident or safe using Microsoft's CDN for your Microsoft solutions, then pull them in locally and use them within your solution.

picture bcameron1231 on 2 May 2020
👍2

All 3 comments

Thank you for reporting this issue. We will be triaging your incoming issue as soon as possible.

msft-github-bot picture msft-github-bot on 2 May 2020

Thank you for your question. I wouldn't say using CDNs is a _bad practice_. CDNs are still the most widely accepted way of serving up cached client side assets in web development across the world. Of course, I always recommend serving files from reputable CDNs. However, the use of CDNs and possible security concerns (if one became compromised) vary by organization/individual and if you feel uncomfortable using a CDN... by all means, you don't have to use them.

A quick note about that CDN being referenced. It is owned and operated by Microsoft. If you don't feel confident or safe using Microsoft's CDN for your Microsoft solutions, then pull them in locally and use them within your solution.

bcameron1231 picture bcameron1231 on 2 May 2020
👍2

Closing this issue as "answered". If you encounter a similar issue(s), please open up a new issue. See our wiki for more details: Issue-List: Our approach to closed issues

msft-github-bot picture msft-github-bot on 6 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mikeparkie picture mikeparkie  路  3Comments
jonthenerd picture jonthenerd  路  3Comments
zerovectorspace picture zerovectorspace  路  3Comments
waldekmastykarz picture waldekmastykarz  路  3Comments
nanddeepn picture nanddeepn  路  3Comments