Cross-Domain JavaScript Source File Inclusion

Hi Webflow Community,

I’m encountering a security issue flagged during a HostedScan security audit on my Webflow project. The issue pertains to a JavaScript file hosted on Webflow’s CDN:

Script causing the issue:

<script src="https://cdn.prod.website-files.com/.../js/webflow.387d97cd1.js" type="text/javascript"></script>

Issue Details

  • Flagged Vulnerability: Cross-Domain JavaScript Source File Inclusion.
  • Description: The scan highlights that including JavaScript files from external sources can be a potential security risk, especially if the source isn’t strictly controlled or trusted.
  • Proposed Solution by Scan Tool: Ensure JavaScript source files are loaded only from trusted sources, and the sources can’t be controlled by end users of the application.

Context

This script (webflow.js) is auto-generated and hosted by Webflow, and it is essential for my site’s functionality, such as interactions and animations. While I trust Webflow’s infrastructure, the security tool still flags it as a potential risk.

Has anyone else encountered this issue with security scans, and how did you resolve it?