As a business user, you can use the Mashup Center widget builder to create widgets and then flag them as non-trusted. Marking widgets as non-trusted is useful when your widget has the potential to cause a security risk to the host system, for example by sending malicious scripts that grab cookies or modify DOM nodes. By default, widgets that you create using the widget builder are trusted.
A non-trusted widget is one that has the potential of being unsafe or malicious, for example a widget that has the potential to initialize some sort of transaction that results in an attack on the company server. Whenever you create a new widget using the widget builder and want to be certain that it does not create any damage to the host system, you can mark the widget as non-trusted.
Non-trusted widgets behave exactly the same as trusted widgets on a page. The main difference between the two types of widgets is what happens in the background. In Mashup Center, when you add a non-trusted widget to a page, Mashup Center wraps the widget inside of a secure iFrame. This prevents the widget from sending any malicious code to the host system. Trusted widgets are not wrapped in an iFrame and therefore do not have this protective layer that prevents it from sending code to the host.
After you mark a widget as non-trusted, you can easily change the flag back to trusted. In the mashup builder, when you open a category in the palette, any widget that has been flagged as non-trusted displays a warning icon next to the widget name. When you hover your cursor over the widget name, a pop-up window displays a message saying that the widget is non-trusted and may not be safe.
For testing purposes, you can mark trusted widgets as non-trusted directly from your personal palette. Then, you can add them to your page, and test them in a nonproduction environment. After your testing is complete, you can switch the flag back to trusted for subsequent instances of the widget.
To change trusted widgets to non-trusted, test them on a page, and then change them back to trusted, do the following steps:
- In the mashup builder palette, locate the widget that you want to modify.
- Click the display menu, and select Mark as Non-Trusted.
- Drag the widget onto your page.
- Test the widget by wiring it to other widgets and sending events.
- When you are finished testing, return to the palette, and click the display menu, and select Mark as Trusted.
Now, you can configure the widget as desired and create your page.
Parent topic: Working with widgets: imc3