What is the ICE Secure Scripting Framework?
Whenever an ICE Mortgage Technology product allows for the injection of custom
functionality, it does so using a technology framework known as the ICE Secure
Scripting Framework (SSF). The ICE Secure Scripting Framework isolates the
third-party’s customizations away from the host application (e.g., Encompass)
by loading the custom HTML/JavaScript into a “sandboxed” container. When
custom code/UI is loaded in a sandbox, we refer to that as a guest of the
application.
Besides isolation, the Secure Scripting Framework provides a communication
channel for all interactions between the host and its guest(s). To enable
communication, each host publishes a set of scripting objects that can be
invoked using JavaScript within the guest. These objects provide two core
interaction patterns for the guest to consume:
• Functions: Each scripting object provides a set of functions that can be invoked
by the guest to retrieve or modify the state or behavior of the host application.
For example, a host may expose a function to retrieve the data of the loan
currently being edited by the logged-in user.
• Events: Events allow guests to respond to (and intercede in) actions within the
host application. For example, a guest may be interested in knowing any time
the user modifies a loan data field in a form.
The set of scripting objects exposed to a guest is dependent on the integration
context in which the guest is loaded. Different guests will have different sets of
functionalities exposed to them to ensure data confidentiality and security. For
example, a script created by a Credit Service Provider would have significantly
restricted access compared to a script created by the Encompass lender that
licenses the Encompass system.
Running in a Sandbox
The ICE Secure Scripting Framework isolates all custom code written by a lender
or partner by loading it within a sandboxed environment that limits its access to
the rest of the application. Sandboxing is achieved by the HTML5 iframe tag’s
sandbox attribute.
When running inside the ICE Secure Scripting Framework sandbox, all guest
scripts/applications can do the following:
• Load and execute arbitrary JavaScript code
• Access the window object of the sandbox
• Create form elements, such as <input> tags, and submit forms (note: depending
on the context, these elements may not be visible to the user)
• Create pop-ups (e.g. window.open()) and modal dialogs