Considerations for adding Web User Control Assets in Multi-tenant Cloud Configurations

Note: Use of Web User Control Asset features can introduce serious security vulnerabilities in a multi-tenant cloud environment. We strongly recommend that these features be enabled only for expert web developers after consideration of the points made in this topic.

In multi-tenant cloud configurations, customers share a set of web servers. This means that some web resources are also shared.

The Web User Control Assets mechanism allows you to upload your own HTML, JavaScript and image resources. You can then leverage those resources in Mongoose as UserControl components or User Components.

When you are operating in a multi-tenant cloud environment, consider seriously the shared responsibility in using these features.

One consideration is that if your JavaScript uses cookies, they could be accessible to JavaScript added by other tenants. This means that, if the same users were to use your application and also applications owned by those other tenants, both applications could access those cookies. So, use reasonable caution regarding how you utilize cookies with Web User Control Assets.

Another consideration is that you should ensure that you have defined a security policy regarding who can run the forms/pages that utilize your JavaScript. This is especially true for HTML or JavaScript content that you deem to be important, unique intellectual property, because that content gets transported out to the end user's browser and can thus be examined or stolen.