AEM Sidekick Security

This page describes security aspects of the Sidekick such as required browser permissions, privacy and network requests being made during operation.

You can also refer to the following resources for additional information:

Browser Permissions

The Sidekick requires the following browser permissions as defined in its manifest file to function as expected:

Permission Justification
activeTab Required to determine whether to show or hide the Sidekick in the active tab
contextMenus Required to simplify adding and removing projects
declarativeNetRequests Required to append a previously stored access token to requests made to the admin API
scripting Required to load the Sidekick in a relevant browser tab
storage

Required to persist the following:

  • state settings (local storage)
  • project configurations (synchronized across devices)
  • access tokens (session storage)
host permissions

Required hosts:

  • https://www.aem.live/tools/sidekick/* (see Sidekick Sharing)
  • http://localhost:3000/* (see Local Development)
  • https://*/* (used to determine whether to show or hide the Sidekick based on a tab’s URL)

Privacy

The Sidekick collects user activity allowing Adobe to:

All data collected is:

Adobe further declares that user data is:

Network Requests

The Sidekick performs HTTPS request to the following hosts:

Network Request Justification
https://admin.hlx.page/* The endpoint of the AEM admin API. Used to perform actions like previewing, publishing and signing in. Requests can originate from the service worker as well as the active tab and can include the user’s access token. Methods: GET, POST and DELETE.
https://rum.hlx.page/* The endpoint of Adobe’s RUM (Real Use Monitoring) service. Used to collect anonymous usage data. Requests can originate from the service worker as well as the active tab. Method: POST
https://www.hlx.live/tools/sidekick/*/help.json The JSON rendition of the Sidekick in-product help content. Used to display contextual help dialogs in the user’s preferred language. Requests originate from the service worker. Method: GET
https://*.sharepoint.com/* The endpoint of the configured SharePoint instance. Used to retrieve the driveItem if the URL in the active tab matches the configured SharePoint host. Requests originate from the active tab and can include the user’s SharePoint credentials. Method: GET
https://*--project--example.aem.*/* The URLs of your preview and live environments. Used to refresh the browser cache after preview and publish operations. Requests can originate from the service worker as well as the current tab and can include the user’s credentials. Method: GET

Restricting Access

You can restrict the Sidekick’s access to certain hosts for all users in your enterprise by defining the runtime_blocked_hosts and runtime_allowed_hosts settings in your enterprise’s Chrome profile. See Google’s documentation on Managing Extensions in Your Enterprise for more information.

Example 1: Allow everything, deny few

{
  "ccfggkjabjahcjoljmgmklhpaccedipo": {
    "runtime_blocked_hosts": [
      "https://intranet.example.com/*",
      "https://extranet.example.com/*"
    ]
  }
}

This would prevent the Sidekick extension from interacting with any URL matching https://intranet.example.com/* or https://extranet.example.com/*.

Example 2: Deny everything, allow few

{
  "ccfggkjabjahcjoljmgmklhpaccedipo": {
    "runtime_blocked_hosts": ["http*://*/*"],
    "runtime_allowed_hosts": [
      "https://admin.hlx.page/*",
      "https://rum.hlx.page/*",
      "http://localhost:3000/*",
      "https://www.hlx.live/tools/sidekick/*",
      "https://*.sharepoint.com/*",
      "https://*--project--example.aem.*/*"
    ]
  }
}		

This would prevent the Sidekick extension from interacting with any URL, except the ones matching a pattern defined in runtime_allowed_hosts. This example uses a combination of the host_permissions in the manifest file and the list of URLs from the chapter Network Requests above to ensure maximum functionality and an optimal user experience.

Security Audits

The Sidekick’s entire source code is publicly available and – like all of AEM – subject to regular audits performed by 3rd party security researchers. Reports can be shared with customers and prospects under NDA.