What is changing?
As of September 30, 2024, the return of external URLs with url.resolveScript(options) will be allowed only for authenticated sessions. Scripts that use url.resolveScript(options) with the returnExternalUrl parameter set to true will no longer work in untrusted contexts.
To avoid errors, you must review scripts that use the url.resolveScript(options) method with the returnExternalUrl parameter set to true and ensure that this setting is used only in a trusted context.
Untrusted contexts include:
- A client script where all roles are selected in the Roles field on the Audience subtab of the script deployment record, AND
- The client script is running for users whose identity cannot be identified, such as customers and shoppers on Web sites.
Trusted contexts include:
- External Suitelets accessed with the updated External URL (using ns-at parameter) from the script deployment record. See Changes to External Suitelet URLs, SuiteAnswers ID 31709.
- Suitelets called within an authenticated session, such as within NetSuite UI pages for logged in users. These Suitelets are internal and do not require the Available Without Login preference to be enabled.
- Client scripts called within an authenticated session, such as within NetSuite UI pages for logged in users.
Required actions
Before September 30, 2024, you should identify scripts in your account that use url.resolveScript(options) with returnExternalUrl: true, and ensure that this setting is used only in a trusted context.
These scripts include but are not limited to client scripts associated with external forms and Suitelets or client scripts used in Web sites. For example, client scripts may be associated with Suitelets in scripts where the clientScriptFileId property is in use.
Best practices to keep in mind as you develop Suitelets include:
- Suitelets are not intended for use in systems integration use cases. Restlets are intended for these cases.
- External Suitelets should be reserved for creating online forms.
- In trusted contexts, https.requestSuitelet(options) can still be used to call the internal URL for a Suitelet. See https.requestSuitelet(options), SuiteAnswers ID 108345.