AEM Sidekick Security
This page describes security aspects of the Sidekick such as required browser permissions, privacy and network requests being made during operation.
You can also refer to the following resources for additional information:
- The listing page in Google Chrome Web Store
- The manifest file on GitHub (open source)
- The extension’s context menu
For the Sidekick v6
Browser Permissions
The Sidekick requires the following browser permissions as defined in its manifest file to function as expected:
Permission | Justification |
activeTab | Required to determine whether to show or hide the Sidekick in the active tab |
contextMenus | Required to simplify adding and removing projects |
declarativeNetRequests | Required to append a previously stored access token to requests made to the admin API |
scripting | Required to load the Sidekick in a relevant browser tab |
storage |
Required to persist the following:
|
host permissions |
Required hosts:
|
Privacy
The Sidekick collects user activity allowing Adobe to:
- Learn how users interact with the UI
- Enhance the user experience in future releases
All data collected is:
- Minimal: names of actions users click in the user interface and target URLs.
- Sampled: only every 10th interaction triggers data collection.
- Anonymous: no PII is being transmitted or stored.
- Secure: Data is transmitted using HTTPS and only authorized Adobe personnel have access to stored data.
Adobe further declares that user data is:
- Not being sold to third parties
- Not being used or transferred for purposes that are unrelated to the item's core functionality
- Not being used or transferred to determine creditworthiness or for lending purposes
Network Requests
The Sidekick performs HTTPS request to the following hosts:
Network Request | Justification |
https://admin.hlx.page/* |
The endpoint of the AEM admin API. Used to perform actions like previewing, publishing and signing in. Requests can originate from the service worker as well as the active tab and can include the user’s access token. Methods: GET , POST and DELETE . |
https://rum.hlx.page/* |
The endpoint of Adobe’s RUM (Real Use Monitoring) service. Used to collect anonymous usage data. Requests can originate from the service worker as well as the active tab. Method: POST |
https://www.hlx.live/tools/sidekick/*/help.json |
The JSON rendition of the Sidekick in-product help content. Used to display contextual help dialogs in the user’s preferred language. Requests originate from the service worker. Method: GET |
https://*.sharepoint.com/* |
The endpoint of the configured SharePoint instance. Used to retrieve the driveItem if the URL in the active tab matches the configured SharePoint host. Requests originate from the active tab and can include the user’s SharePoint credentials. Method: GET |
https://*--project--example.aem.*/* |
The URLs of your preview and live environments. Used to refresh the browser cache after preview and publish operations. Requests can originate from the service worker as well as the current tab and can include the user’s credentials. Method: GET |
Restricting Access
You can restrict the Sidekick’s access to certain hosts for all users in your enterprise by defining the runtime_blocked_hosts
and runtime_allowed_hosts
settings in your enterprise’s Chrome profile. See Google’s documentation on Managing Extensions in Your Enterprise for more information.
Example 1: Allow everything, deny few
{
"igkmdomcgoebiipaifhmpfjhbjccggml": {
"runtime_blocked_hosts": [
"https://intranet.example.com/*",
"https://extranet.example.com/*"
]
}
}
This would prevent the Sidekick extension from interacting with any URL matching https://intranet.example.com/*
or https://extranet.example.com/*
.
Example 2: Deny everything, allow few
{
"igkmdomcgoebiipaifhmpfjhbjccggml": {
"runtime_blocked_hosts": ["http*://*/*"],
"runtime_allowed_hosts": [
"https://admin.hlx.page/*",
"https://rum.hlx.page/*",
"http://localhost:3000/*",
"https://*.sharepoint.com/*",
"https://*--project--example.aem.*/*"
]
}
}
This would prevent the Sidekick extension from interacting with any URL, except the ones matching a pattern defined in runtime_allowed_hosts
. This example uses a combination of the host_permissions
in the manifest file and the list of URLs from the chapter Network Requests above to ensure maximum functionality and an optimal user experience.
Security Audits
The Sidekick’s entire source code is publicly available and – like all of AEM – subject to regular audits performed by 3rd party security researchers. Reports can be shared with customers and prospects under NDA.
Previous
Using Sidekick
Up Next