In client managed Qlik Sense, mashups are uploaded to Qlik server just like any other extension. For some reason, Qlik SaaS allows only uploading of custom object extensions. This creates problems because:

1. Mashups need to be hosted on a separate web server, increasing management overhead and infrastucture costs. In a corporate environment, it is never straightforward to establish new web servers or get admin access to existing ones.
2. Because mashups are hosted on a different domain than Qlik SaaS, authentication may not work at all as modern browsers increasingly limit the use of 3rd party cookies. Safari already blocks 3rd party cookies by default, making it impossible to use a Qlik mashup unless the user knows how to override the default security settings. Chrome is likely to do the same starting next year.
3. Requiring mashups to be hosted on a separate web server decreases overall security as it can open up additional attack vectors and requires more effort to setup and maintain security. Any attack that is possible using mashups can be done with custom object extensions, so allowing mashups to be uploaded in Qlik SaaS does not really open any additional attack vectors. In the end, only administrators can upload extensions to Qlik SaaS and one should assume that they are trustworthy and responsible.

The solution to the above is simple: just please allow uploading of mashups like other extensions in Qlik SaaS!