[Security/Privacy] Full Source Maps (`.js.map`) exposed in production builds

[iliyadindar]

Describe the bug

Issue: Production Source Maps Exposed on Public CDN

Description

I have observed that the okta-signin-widget deployed via oktacdn.com (and potentially other channels) includes full Source Maps (.js.map) alongside minified production assets.

Example:
https://ok7static.oktacdn.com/assets/js/sdk/okta-signin-widget/7.37.1/js/okta-sign-in.min.js.map

This file is publicly accessible and contains the unminified source code, original comments, and file structure of the widget.

Impact

While this project is open source, exposing source maps in production environments used by downstream consumers (like Figma, etc.) increases the attack surface for those applications. It allows attackers to:

1. Easily reverse-engineer the exact version and client-side logic being used.
2. Debug the authentication flow in real-time against production targets.
3. Identify potentially deprecated or vulnerable code paths more rapidly.

Reproduction Steps

Steps to Reproduce

1. Navigate to any site using the hosted widget (e.g., admin.figma.com).
2. Inspect the network traffic or source code.
3. Append .map to the okta-sign-in.min.js URL.
4. Observe that the server returns 200 OK with the full source map.

Suggested Fix

Please disable source map generation for production builds in the Webpack configuration.

File: webpack.common.config.js (or similar)

// Recommendation:
devtool: process.env.NODE_ENV === 'production' ? false : 'source-map'

This ensures that while development remains easy, production deployments do not leak source metadata.

SDK Versions

7.37.1

Additional Information

No response

[Drgeeda]

How do I fix this

[iliyadindar]

There are several Webpack config files in this repo that control the build output, including:

webpack.common.config.js
webpack.dev.config.js
webpack.release.config.js

These are used to bundle the widget for development, releases, and testing.

Right now, the release configuration still produces source map (.js.map) files for production CDN artifacts. Source maps are useful for development but aren’t needed in production and should not be published by default.

Suggested fix:

In webpack.release.config.js and/or whichever config is used for the production CDN build, change the devtool setting so source maps are disabled in production:

// disable source maps for production
devtool: false

Or use an environment conditional that only enables source maps in development:

devtool: process.env.NODE_ENV === "production" ? false : "source-map"

This keeps source maps during local development but prevents .js.map files from being built and published for production releases.

[Drgeeda]

Yes thanks 👍