GROW
CODA App

config

Enable privacy on client script includes

This issue is found automatically by CODA.
Time to fix: 30min

What is this glide property used for?

To understand the importance of the glide.script.ccsi.ispublic property in ServiceNow, it is important to understand what is a client-callable script.

A client-callable script in ServiceNow is, in essence, a script include that can be invoked and reused from the client side, including within client scripts, business rules, and UI actions. By using this approach, developers can execute server-side logic or functions, facilitating the sharing of common server-side functionality with the client side in a secure and accessible manner.

By default, client callable scripts are public, implying that they are accessible unless explicitly marked as private. To manage the visibility of a client callable script, we utilize the glide.script.ccsi.ispublic to determine and regulate this behavior.

Why is this an issue?

An instance that lacks the glide.script.ccsi.ispublic created and set to false will enable the scripts to be used publicly. This situation can lead to security issues, including:

  • Exposure of Sensitive Information: If a client callable script holds sensitive data or operations, setting it as public allows any client-side script to invoke it, posing a risk of exposing critical information to unauthorized users.

  • Unauthorized Access: Making client callable scripts public can grant unrestricted access to functionalities and data, potentially enabling malicious users to execute actions beyond their permissions.

How do I fix it?

Before addressing this issue, it is important to be aware of a couple of things:

  • Once the property has been added and set to a value of false, it cannot be changed back to true due to security restrictions.

  • Once created, the property cannot be deleted.

  • Once the property is set to false, all scripts will become private. To override this rule and make a script public, it will be necessary to add the isPublic() function to the script include. The code for the isPublic() function is as follows:

1
2
3
isPublic: function() {
return true;
},

Now, to fix this issue, first, you need to check wheater the property exists or not:

  1. In the Filter Navigator, type and enter sys_properties.list.

  2. Search for glide.script.ccsi.ispublic.

  3. If the property exists, set its value to true.

If the property does not exist, click on New in the top right corner of the page. Fill in the name as glide.script.ccsi.ispublic, the value as false, and Submit.