Adding in site-wide code for third-party tools to our products - our guidance

We are occasionally asked if we can embed site-wide code for third-party tools, such as those for web screen reading or analytics. While we understand the use case, we take security very seriously and third-party plugins or code applied across the site could risk the security or functionality of our applications.

We strongly advise against having third-party custom code embedded site wide, as well-meaning configuration changes may result in disruption to service, unforeseen changes to data, or the collection of data which has not been approved. Often these tools are remotely operated, allowing code to be injected into a site, and we have no control over how secure these pieces of software are as they are managed by third-parties. If a plugin is capable of changing the behaviour of our applications (or any website) through use of Javascript, then this poses a significant risk.

What kind of things could the addition of these tools do?

  • They could prevent normal operation of a system by making unexpected changes (Availability).
  • Depending on how you have them set up and their purpose, they could potentially change your response data or omit some of it (Integrity).
  • They may also be able to read all the content on the page, if this is what they are designed to do —  this may be in breach of local data protection regulations (Confidentiality).

As these are third-party tools, we have no control over what they may do when embedded into our software. Depending on the configuration (in most cases set by you or the external company) these may do one or all of the above and we are powerless to know what changes they may be making, therefore we are unable to support them.

For all of these reasons we generally will not embed this kind of code into your site. In addition, we do not provide support for or related to third-party tools that may be added to your site.

Accessibility

To date, a couple of tools we have been asked to embed have been accessibility-related, and we completely agree with the desire to deliver accessible websites. Our products are all tested for accessibility and are designed to meet W3C WAI Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. By following these standards, all our software should be compatible with recent versions of accessibility tools such as screen readers, speech recognition software, operating system accessibility tools such as screen magnifiers, and browser tools such as screen zoom and keyboard navigation - as such, they should not require additional plug-ins or third-party code.

However, we welcome feedback and if anyone is having trouble using any of our products we would like to know so that we can make improvements. Please use the support link at the top of this page to get in touch.

Analytics

If you wish to collect analytics data — rather than using a tool like Google Tag Manager, which allows code to be injected into a site and controlled externally — the use of standard Google Analytics (you can find out more information about Google Analytics on the Google website) or another analytics provider for tracking is better for this task. We cannot recommend you use any analytics tools without proper thought and care as these use tracking cookies to collect data, over and above what is needed for the standard functioning of the site.