+------------------------+ | Metadata | +----------+-------------+ | Template | guides | +----------+-------------+ | Image | ![][image0] | +----------+-------------+ | Category | resources | +----------+-------------+ +-------------------+ | Section Metadata | +---------+---------+ | style | content | +---------+---------+ ![][image0] # AEM Sidekick Security This page describes security aspects of the Sidekick such as required browser permissions, privacy and network requests being made during operation. You can also refer to the following resources for additional information: - The [listing page](https://chromewebstore.google.com/detail/aem-sidekick/igkmdomcgoebiipaifhmpfjhbjccggml) in Google Chrome Web Store - The [manifest file](https://github.com/adobe/aem-sidekick/blob/main/src/extension/manifest.json) on GitHub (open source) - The extension’s context menu ## Browser Permissions The Sidekick requires the following browser permissions as defined in its [manifest file](https://github.com/adobe/aem-sidekick/blob/main/src/extension/manifest.json) to function as expected: +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Table | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | +:---------------------------:+:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:+ | | | **Permission** | **Justification** | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **activeTab** | Required to determine whether to show or hide the Sidekick in the active tab | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **contextMenus** | Required to simplify adding and removing projects | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **declarativeNetRequests** | Required to manipulate HTTP headers. | | | | | | | | | | - Request headers: | | | | | - add the user's [AEM credentials](https://main--helix-website--adobe.aem.page/docs/authentication-setup-authoring) to requests made to the [Admin API](https://www.aem.live/docs/admin.html); project URLs if the site is [protected](https://main--helix-website--adobe.aem.page/docs/authentication-setup-site); other Adobe-managed services if used by the project | | | | | - temporarily suppress browser caching on project URLs after content modifications | | | | | - Response headers: | | | | | - allow cross-site requests to project URLs if originating from [AEM Admin Tools](https://tools.aem.live/) | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **scripting** | Required to load the Sidekick in a relevant browser tab | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **storage** | Required to persist the following: | | | | | | | | | | - state settings (local storage) | | | | | - project configurations (synchronized across devices) | | | | | - access tokens (session storage) | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **host\_permissions** | Required hosts: | | | | | | | | | | - `http://localhost:3000/*` – Used by developers during local development. See [aem CLI](https://main--helix-website--adobe.aem.page/developer/cli-reference) for more information. | | | | | - `https://*/*` – Used to determine whether to show or hide the Sidekick based on a tab’s URL. | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | **externally\_connectible** | Required to allow customer sites to interact with the Sidekick UI, e.g. for resizing or closing custom popovers. See [Sidekick Development](https://main--helix-website--adobe.aem.page/developer/sidekick-development) for more information. | | | | | | | | | | - `http://localhost:3000/*` – Used by Adobe during local development. | | | | | - `https://*/*` – Allows receiving messages from any site using HTTPS. Write access is restricted to [trusted origins](#trusted-origins) via code. | | | +-----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ## Trusted Origins The following Adobe-owned origins are allowed to communicate with the Sidekick extension on behalf of the user to add, remove and and sign into sites: - `https://admin.hlx.page` – The current endpoint of the AEM [Admin API](https://www.aem.live/docs/admin.html) - `https://api.aem.live` – The new endpoint of the AEM [Admin API](https://www.aem.live/docs/admin.html) - `https://tools.aem.live` – Tools to help administrators manage AEM sites ## Privacy The Sidekick collects user activity allowing Adobe to: - Learn how users interact with the UI - Enhance the user experience in future releases All data collected is: - Minimal: names of actions users click in the user interface and target URLs. - Sampled: only every 10th interaction triggers data collection. - Anonymous: no PII is being transmitted or stored. - Secure: Data is transmitted using HTTPS and only authorized Adobe personnel have access to stored data. Adobe further [declares](https://chromewebstore.google.com/detail/aem-sidekick/igkmdomcgoebiipaifhmpfjhbjccggml) that user data is: - Not being sold to third parties - Not being used or transferred for purposes that are unrelated to the item's core functionality - Not being used or transferred to determine creditworthiness or for lending purposes ## Network Requests The Sidekick performs HTTPS request to the following hosts: +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Table | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | +:-------------------------------------:+:------------------------------------------------------------------------------------------------------------------------------------------------------------------:+ | | | **Network Request** | **Justification** | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | `https://admin.hlx.page/*` | The current endpoint of the AEM [Admin API](https://www.aem.live/docs/admin.html). Used to perform actions like previewing, publishing and | | | | | signing in. Requests can originate from the service worker as well as the active tab and can include the user’s access token. Methods: `GET`, `POST` and `DELETE`. | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | `https://api.aem.live/*` | The new endpoint of the AEM [Admin API](https://www.aem.live/docs/admin.html). Used to perform actions like previewing, publishing and signing in. Requests can | | | | | originate from the service worker as well as the active tab and can include the user’s access token. Methods: `GET`, `POST` and `DELETE`. | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | `https://rum.hlx.page/*` | The endpoint of Adobe’s RUM (Real Use Monitoring) service. Used to collect anonymous usage data. Requests can originate from the service worker as well as the | | | | | active tab. Method: `POST` | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | `https://*.sharepoint.com/*` | The endpoint of the [configured SharePoint instance](https://www.aem.live/docs/setup-customer-sharepoint-user). Used to retrieve the `driveItem` if the URL in the | | | | | active tab matches the configured SharePoint host. Requests originate from the active tab and can include the user’s SharePoint credentials. Method: `GET` | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | `https://*--project--example.aem.*/*` | The URLs of your preview and live environments. Used to refresh the browser cache after preview and publish operations. Requests can originate from the service | | | | | worker as well as the current tab and can include the user’s credentials. Method: `GET` | | | +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ## Restricting Access You can restrict the Sidekick’s access to certain hosts for all users in your enterprise by defining the `runtime_blocked_hosts` and `runtime_allowed_hosts` settings in your enterprise’s Chrome profile. See Google’s documentation on [Managing Extensions in Your Enterprise](https://support.google.com/chrome/a/answer/9296680) for more information. **Example 1: Allow everything, deny few** ``` { "igkmdomcgoebiipaifhmpfjhbjccggml": { "runtime_blocked_hosts": [ "https://intranet.example.com/*", "https://extranet.example.com/*" ] } } ``` This would prevent the Sidekick extension from interacting with any URL matching `https://intranet.example.com/*` or `https://extranet.example.com/*`. **Example 2: Deny everything, allow few** ``` { "igkmdomcgoebiipaifhmpfjhbjccggml": { "runtime_blocked_hosts": ["http*://*/*"], "runtime_allowed_hosts": [ "https://admin.hlx.page/*", "https://api.aem.live/*", "https://rum.hlx.page/*", "http://localhost:3000/*", "https://*.sharepoint.com/*", "https://*--project--example.aem.*/*" ] } } ``` This would prevent the Sidekick extension from interacting with *any* URL, except the ones matching a pattern defined in `runtime_allowed_hosts`. This example uses a combination of the `host_permissions` in the [manifest file](https://github.com/adobe/aem-sidekick/blob/main/src/extension/manifest.json) and the list of URLs from the chapter [Network Requests](#network-requests) above to ensure maximum functionality and an optimal user experience. ## Security Audits The Sidekick’s entire source code is [publicly available](https://github.com/adobe/aem-sidekick) and – like all of AEM – subject to regular audits performed by 3rd party security researchers. Reports can be shared with customers and prospects under NDA. +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Pagination (Contained) | +---------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | :icon-arrow: Previous | Up Next :icon-arrow: | | | | | ### [Using Sidekick](https://main--helix-website--adobe.hlx.page/docs/sidekick) | ### [Customizing Sidekick](https://main--helix-website--adobe.aem.page/developer/sidekick-development) | +---------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ [image0]: https://main--helix-website--adobe.aem.page/media_1e5fb8dc7e6733da52dfc650a8634e9edf483eee5.jpg#width=1103&height=827