Hi Webflow Community,
I’m encountering a security issue flagged during a HostedScan security audit on my Webflow project. The issue pertains to a JavaScript file hosted on Webflow’s CDN:
Script causing the issue:
<script src="https://cdn.prod.website-files.com/.../js/webflow.387d97cd1.js" type="text/javascript"></script>
Issue Details
- Flagged Vulnerability: Cross-Domain JavaScript Source File Inclusion.
- Description: The scan highlights that including JavaScript files from external sources can be a potential security risk, especially if the source isn’t strictly controlled or trusted.
- Proposed Solution by Scan Tool: Ensure JavaScript source files are loaded only from trusted sources, and the sources can’t be controlled by end users of the application.
Context
This script (webflow.js
) is auto-generated and hosted by Webflow, and it is essential for my site’s functionality, such as interactions and animations. While I trust Webflow’s infrastructure, the security tool still flags it as a potential risk.
Has anyone else encountered this issue with security scans, and how did you resolve it?