Require authentication by default for client-callable script includes [Updated in Security Center 1.3]

By default, client-callable script includes that do not explicitly set visibility, are public. If needed, add the glide.script.ccsi.ispublic property to enable privacy control over all client-callable script includes accessed by public pages.

When you add this property, you must set its value to false, which designates that all client-callable script includes are private, and changes their visibility in public pages.
Note: You cannot add the property with a value of true, or change its value from false to true. If you attempt to do so, an error message appears.
If needed, you can change the privacy setting for an individual client-callable script include by adding the isPublic() function.
  • The isPublic() setting takes precedence over the glide.script.ccsi.ispublic property.
  • For example, if you set isPublic() to true in an individual script, it makes it public, which overrides the glide.script.ccsi.ispublic property that makes all other client-callable script includes private.
Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

AttributeDescription
Property name glide.script.ccsi.ispublic
Configuration type System Properties (/sys_properties_list.do)
Category Access control
Purpose Making client-callable script includes private means that guests who access public pages can't access the client-callable script include. A non-logged-in user can't execute a private script.
Recommended value false
Default value false
Security risk rating 7.5
Functional impact If the client-callable script includes are designated as public (that is, this property is missing), then unauthenticated users can execute client scripts. Add the property restricts the execution of scripts by a non-logged-in user.
Security risk (High) If you do not add this property, client-side script includes circumvent ACLs, which may result in unintended public functionality. If the client script provides confidential information, it could have an adverse potential security risk.
Workaround

Setting the glide.script.ccsi.ispublic property to false makes all client-callable script includes private.

You can change the privacy setting for an individual client-callable script include by adding the isPublic() function. The isPublic function takes precedence over the glide.script.ccsi.ispublic property. Add the following syntax to the script include:

isPublic:function(){return[true/false];},