Apply security and server-side show/hide expressions client-side

Description

If you select this option, the component is not re-rendered at run-time to apply security and server-side show/hide expressions. Client-side JavaScript is used to hide controls that should not be visible to the user. This is less secure than applying these calculations server-side because the controls are still included in the component's HTML.

Discussion

The pre-render option for UX component can make a dramatic difference in the speed with which UX components are rendered. This is especially true of large UX components. Pre-rendering can result in 5 to 10x performance improvements in certain cases.

If UX component uses security or server-side show/hide expressions to control the visibility of certain controls, you cannot enable pre-rendering unless you also enable Apply security and server-side show/hide expressions client-side.

When this property is turned on, the UX is not recomputed at run-time (as is normally the case when a UX which uses security and/or server-side show/hide expressions). Instead, at run-time, data are sent to the UX with information about what security groups the user is in, and which controls need to be hidden or shown as a result of evaluating server-side show/hide expressions. A client-side function will then hide the controls that should not be visible.

It is important to understand that when you turn on the option to apply security and server-side show/hide expressions client-side, the result is not as secure as applying security and server-side show/hide expressions on the server. That's because when security and server-side show/hide expressions are applied server-side, the HTML and data that are sent to the client does not physically include anything that should not be visible to the user.

But when apply these settings client-side, the HTML may contain sensitive information that the user could see by viewing the page source (even though this information is hidden on the page itself).

A side benefit of turning this option on is that any controls whose visibility is controlled by a server-side show/hide expression will be shown or hidden if any ajax callback sets the value of a session variable that is used in a server/side show expression.