App catalog Trust prompt for external dependencies too in the SharePoint Framework
It would be great if all the referenced external dependencies (scripts) were listed in the trust prompt in the app catalog,
eventually the same for scripts dynamically loaded through the SPComponentLoader with the external scripts dynamically loaded should be declared.
This would prevent any way of code "injection" without the explicit consent of the app catalog administrator
Yannick Plenevaux commented
Just wanted to add: (If we leave aside the SPComponentLoader part), If I am right, all the external references must be added in the config.json file, I think it would be pretty easy to add them in the manifest in .sppkg ?
At least, that way, even if there will always be workarounds to "inject" external JS, some Development guidelines, governance, etc... would be easier to verify.
That said, It will always be to app catalog administrators to decide what they trust or not... My suggestion is just a extra help for them to decide