Organizational Security Concerns

[dek39]

Unfortunately, my organization will not allow download of the Sprint Goal add-in due to security concerns. I wanted to provide these concerns to you, hoping that if any are easily resolvable that I will be able to download it in the future, if resolved. This is the feedback from our security review:

1. The javascript files were minimized when they weren't supposed to be.
2. Within those minimized scripts, there was some payment module information that didn't look right. I'm not sure why it would reference payment info when this has nothing to do with payment information.
3. Sending any information outside of the organization is a violation of security and could be cause for termination (which appears to happen with this add-in).
4. It's actually pulling in javascript from outside of the organization's walls; this is a violation and goes against security practices as it opens up our system to script injection.

Please let me know if there is any way to get support to address any of these!

[keesschollaart81]

1. I don't minimize the code, it is packed/bundled by WebPack in a single file. This is because and AzD extension is supposed to be self contained. For multiple reasons I prefer a single file containing all the packages I need. (bundling != minimizing)
   
2. My code does not reference an external library (check the .html files). All packages I depend upon are listed in packages.json. These packages are included in the bundle which you can see in the browsers network tab (eg: sprint-goal.js) -- It could be possible that any of these dependencies dynamically loads an external resource, I am not aware of that and can also not see that happen in my tests:
   
   ^^ all of these are Microsoft owned hosts
3. Totally agree
4. Totally agree

By the way, I checked 1) and 2) with the latest 5.2 release.