Today, we noticed that fields that are used in an action’s visibility check are delivered to the user’s browser as part of the record XHR call. For us this is a severe security issue because internal fields are exposed.
Steps to reproduce:
- Create a record details page
- Add an action with a visibility condition connected to a secret field value (e.g. an internal status field)
- Check the AJAX response for the record
Actual result:
The value of the secret field is exposed to the user’s browser as part of the XHR response body.
Expected result:
Only fields that are actually displayed are delivered to the user.