To easily store a set of data, image(s) or styles, Salesforce provides StaticResources. This is often nicely used to develop sweet-looking-pages, or enable external scripts to be loaded. However, one should tread this like public data.
Regardless of the Cache Control – Private vs. Public – every Site or Community visitor is able to get a list of ALL static resources available in your environment. On each public page (Site) or Community page one can call below Javascript variable which will provide an Object with ALL static resources. Per Static Resource the object holds the timestamp of the latest cached version and namespace if applicable (see sample screenshot).
Aura.StaticResourceMap
Accessing any of these static resources, being on a Site or Community page, is of course just a matter of copy-paste. In below table you find the references. If needed, one can optionally add a timestamp (Epoch) between resource and the resource name, to enforce Salesforce to retrieve the latest version (e.g. customDomain.com/resource/1608809470000/APXTConga4__ComposerLogoRed).
Type | URL | Static Resource |
Standard Site Page | https://mydomain.force.com/sitePath | https://mydomain.force.com/sitePath/resource/[namespace__][name] |
Standard Community Page | https://mydomain.force.com/sitePath/s/ | https://mydomain.force.com/sitePath/resource/[namespace__][name] |
Custom Domain | https://customDomain.com/ | https://customDomain.com/resource/[namespace__][name] |
Conclusion
With this post I hope to make one aware of the potential risk of putting too much in a static resource, assuming nobody knows the name, or not making it ‘Public’. All resources are as easy to retrieve, so be aware and threat those with caution! 💪