AEM Sidekick Security

Last update: Wed Feb 26 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Edge Delivery Services

This page describes security aspects of the Sidekick such as required browser permissions, privacy and network requests being made during operation.

You can also refer to the following resources for additional information:

The listing page in Google Chrome Web Store
The manifest file on GitHub (open source)
The extension’s context menu

Browser Permissions

The Sidekick requires the following browser permissions as defined in its manifest file to function as expected:

Permission

Justification

activeTab

Required to determine whether to show or hide the Sidekick in the active tab

contextMenus

Required to simplify adding and removing projects

declarativeNetRequests

Required to append a previously stored access token to requests made to the admin API

scripting

Required to load the Sidekick in a relevant browser tab

storage

Required to persist the following:

state settings (local storage)
project configurations (synchronized across devices)
access tokens (session storage)

host permissions

Required hosts:

[li> http://localhost:3000/*http://localhost:3000/*) [li>https://*/*https://*/*

Privacy

The Sidekick collects user activity allowing Adobe to:

Learn how users interact with the UI
Enhance the user experience in future releases

All data collected is:

Minimal: names of actions users click in the user interface and target URLs.
Sampled: only every 10th interaction triggers data collection.
Anonymous: no PII is being transmitted or stored.
Secure: Data is transmitted using HTTPS and only authorized Adobe personnel have access to stored data.

Adobe further declares that user data is:

Not being sold to third parties
Not being used or transferred for purposes that are unrelated to the item’s core functionality
Not being used or transferred to determine creditworthiness or for lending purposes

Network Requests

The Sidekick performs HTTPS request to the following hosts:

https://admin.hlx.page/*

`[td>

https://rum.hlx.page/*

https://rum.hlx.page/*``[td>

https://.sharepoint.com/

https://.sharepoint.com/``[td>

https://--project--example.aem./*

https://--project--example.aem./*`

Network Request

Justification

The endpoint of the AEM admin API. Used to perform actions like previewing, publishing and signing in. Requests can originate from the service worker as well as the active tab and can include the user’s access token. Methods: GET, POST and DELETE.

The endpoint of Adobe’s RUM (Real Use Monitoring) service. Used to collect anonymous usage data. Requests can originate from the service worker as well as the active tab. Method: POST

The endpoint of the configured SharePoint instance. Used to retrieve the driveItem if the URL in the active tab matches the configured SharePoint host. Requests originate from the active tab and can include the user’s SharePoint credentials. Method: GET

The URLs of your preview and live environments. Used to refresh the browser cache after preview and publish operations. Requests can originate from the service worker as well as the current tab and can include the user’s credentials. Method: GET

`Restricting Access

You can restrict the Sidekick’s access to certain hosts for all users in your enterprise by defining the runtime_blocked_hosts and runtime_allowed_hosts settings in your enterprise’s Chrome profile. See Google’s documentation on Managing Extensions in Your Enterprise for more information.

Example 1: Allow everything, deny few

{ "igkmdomcgoebiipaifhmpfjhbjccggml": { "runtime_blocked_hosts": [ "https://intranet.example.com/", "https://extranet.example.com/" ] } }

This would prevent the Sidekick extension from interacting with any URL matching https://intranet.example.com/* or https://extranet.example.com/*.

Example 2: Deny everything, allow few

{ "igkmdomcgoebiipaifhmpfjhbjccggml": { "runtime_blocked_hosts": ["http*:///"], "runtime_allowed_hosts": [ "https://admin.hlx.page/", "https://rum.hlx.page/", "http://localhost:3000/", "https://.sharepoint.com/", "https://--project--example.aem./" ] } }

This would prevent the Sidekick extension from interacting with any URL, except the ones matching a pattern defined in runtime_allowed_hosts. This example uses a combination of the host_permissions in the manifest file and the list of URLs from the chapter Network Requests above to ensure maximum functionality and an optimal user experience.

Security Audits

The Sidekick’s entire source code is publicly available and – like all of AEM – subject to regular audits performed by 3rd party security researchers. Reports can be shared with customers and prospects under NDA.`

recommendation-more-help

10a6ce9d-c5c5-48d9-8ce1-9797d2f0f3ec