After doing a lot of research I come to this forum hopefully i can get some help.
I am building a Ruby on Rails application (version 4.2)
My app allow users to create "one page" portfolio :
user 1 can have his portfolio page in a subdomain : user1portfolio.myapp.com
user 2 can have his portfolio page in a subdomain : user2portfolio.myapp.com
user 3 can have his portfolio page in a subdomain : anotherportfolio.myapp.com
etc...
Each user has the choice to name his subdomain as he like
Also no user can know about the link (subdomain) of other users in the app. the only way to know about the subdomain of another user is to find it on google.
What I want is to allow each user to add javascript & html code in his portfolio because a lot of users wants to add things like popus, tracking code, analytic code, youtube embed code...(i don't know what else)
I think there is no security problem because no one know about the portfolio page of other, but Imagine that someone is connected to his account on my app and by chance he find (let say) on google the link of a portfolio page which contains an "evil" code then open it ! here the security Is affected right ? ( Am I vulnerable to XSS, Hijacking, or hacking ?)
I did a lot of research but I have not found any clear solution, sometimes I found people says that subdomains prevent xss attack, and sometimes I found other people says that subdomains don't prevent xss attacks !! and sometimes I found others say "multi-tenancy" is good....
So As a newbie in security I have no idea who I should follow and who not !! and no one seem gives a clear solution !
What I should do about that ?
