Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    • Environmental Topics
    • Air
    • Bed Bugs
    • Cancer
    • Chemicals, Toxics, and Pesticide
    • Emergency Response
    • Environmental Information by Location
    • Health
    • Land, Waste, and Cleanup
    • Lead
    • Mold
    • Radon
    • Research
    • Science Topics
    • Water Topics
    • A-Z Topic Index
    • Laws & Regulations
    • By Business Sector
    • By Topic
    • Compliance
    • Enforcement
    • Laws and Executive Orders
    • Regulations
    • Report a Violation
    • Environmental Violations
    • Fraud, Waste or Abuse
    • About EPA
    • Our Mission and What We Do
    • Headquarters Offices
    • Regional Offices
    • Labs and Research Centers
    • Planning, Budget, and Results
    • Organization Chart
    • EPA History

Breadcrumb

  1. Home
  2. Web Policies and Procedures

JavaScript Files and Libraries Review Process

Alert
Alert Third-Party JavaScript

Avoid unnecessary third-party resources: Agencies must not embed static, unchanging web assets, such as a specific version of a common and widely used code library (e.g., JavaScript, CSS, fonts) that are hosted on third-party services not under the control of the agency. Embedding static third-party assets is an outdated practice that no longer confers significant performance benefits, and it creates unnecessary security risks. This restriction only applies to static (unchanging) third-party assets and does not bar the practice of embedding dynamic third-party resources that are necessary for digital service delivery (e.g., analytics services).

Therefore, EPA prohibits the practice of using third-party JavaScript libraries. Exceptions include Google Analytics, CrazyEgg, Foresee, and other analytics software.

OMS maintains a set of JavaScript libraries for your use. Well-known third-party libraries may be added through the process outlined on this page.

If you want to use JavaScript files or libraries on your EPA website, follow these steps to ensure that the files or libraries are safe, secure, and accessible.

  1. Check if the file or library is already approved by EPA.
  2. If the file or library is not approved, request approval from EPA.
    1. You will develop and test your code on the Drupal WebCMS development server.
      1. The development server has the same code as the production environment. If you have an account on the production server, you also have an account on the sandbox.
    2. Provide the JS files to OMS so that we can load them into the sandbox. A list of dependencies must be provided to OMS so that the JavaScript can be loaded in the correct order on the page. Once the files are available, build your page and code.
  3. Contact the TZ Service Manager in OMS to set up a TZ account to pay for the code review under Working Capital Fund Services. No work can take place until you have a registration id/charge code set up for vetting submitted code.
  4. Wait for EPA to review your request. EPA will check if the file or library meets the following criteria:
    • It does not contain any malicious code or vulnerabilities
    • It does not conflict with other files or libraries on EPA websites
    • It follows the web standards and best practices for JavaScript
    • It is compatible with different browsers and devices
    • It does not affect the performance or usability of EPA websites
    • It supports accessibility for people with disabilities
  5. If EPA approves your request, your code will be uploaded to production, so you can link to it on your production pages.
  6. If EPA denies your request, you will receive an email with the reasons for denial and suggestions for alternatives. You will not be able to use the file or library on your website.

Examples of Using JavaScript for "Small" Applications

  • Superfund Where you Live dataset has over 1,800 Superfund locations.
  • Region 1's Charles River Buoy dataset dynamically pulls data from environmental readings and displays the data with Highcharts.
  • EPA RCRA ID: AKD000643239: This page uses the ID number and this script to query an EPA service at ofmpub.epa.gov/enviro.
  • Air Data - Tile Plot: This page uses JS to poll a CGI script hosted on www3 and insert that data into the HTML.

Web Policies and Procedures

  • Web Policies and Procedures Resources
  • EPA Web Standards
  • Historical Memoranda
  • Plain Writing
  • EPA Disclaimers
Contact Us About Web Policies and Procedures
Contact Us to ask a question, provide feedback, or report a problem.
Last updated on March 24, 2025
  • Assistance
  • Spanish
  • Arabic
  • Chinese (simplified)
  • Chinese (traditional)
  • French
  • Haitian Creole
  • Korean
  • Portuguese
  • Russian
  • Tagalog
  • Vietnamese
United States Environmental Protection Agency

Discover.

  • Accessibility Statement
  • Budget & Performance
  • Contracting
  • EPA www Web Snapshot
  • Grants
  • No FEAR Act Data
  • Plain Writing
  • Privacy
  • Privacy and Security Notice

Connect.

  • Data
  • Inspector General
  • Jobs
  • Newsroom
  • Regulations.gov
  • Subscribe
  • USA.gov
  • White House

Ask.

  • Contact EPA
  • EPA Disclaimers
  • Hotlines
  • FOIA Requests
  • Frequent Questions
  • Site Feedback

Follow.