S-Controls Not Allowed Through Security Review

Jan 4, 2017

by Security Review Operations Team

S-Controls have been phased out since the Spring ’09 release and superseded by Visualforce. However, we still see a few partners using them in their apps. Visualforce pages are considered the next-generation of S-Controls and should replace them. S-Controls pose a security risk and will not be allowed for use in any new package.

If you are submitting a net new application for security review, please make sure that your solution does not contain S-Controls. If S-Controls are detected in your submission, your submission will not be allowed through into queue.

Trial Templates
If you are submitting a Trialforce Template for review and your package contains S-Controls, please note that your app will be called out and placed in the upcoming re-review cycle. The S-Controls will need to be removed when submitting for re-review. This is only allowed for older AppExchange apps.

Re-Review
When your app is due and called out for re-review, remember to take the necessary steps to remove any prior S-Controls that were implemented.

Deprecation
We understand that some apps have been around before S-Controls were superseded and still contain these components. S-Controls cannot currently be fully removed from a managed package and empty S-Controls cannot be saved. But good news! While we are working to have the deprecation functionality enabled, please follow these directions to redirect the S-Controls:
  • For URL type S-Controls, you can simply redirect to existing Visualforce pages within the package.
  • As for HTML type S-Controls, you will need to ensure that an empty HTML block is in place for the content. This can be accomplished by using the following: <html></html> .
We encourage all partners to proactively remove all S-Controls to ensure that your solution is secure and our mutual customer’s data are not put at risk. 

Additional Resources #news