Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-85032

Marketplace portlet leaves external JS resources running on localhost installations


    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.1.10 DXP GA1
    • Fix Version/s: None
    • Component/s: App Management
    • Labels:


      When I navigate to Marketplace on a demo installation on localhost, I'm getting the MP content from liferay.com - including the script code included on there. So far, this is expected.

      However, it seems that due to SPA, their code stays active once I navigate away from Marketplace. My scripting plugins still show both decibelinsight and newrelic code present and blocked/blockable until I reload the full page - just navigating isn't enough.

      Due to the nature of decibelinsight and newrelic (as far as I understand their business) they might collect information about the sites that their scripts are running on, which is probably unexpected and might pose a legal risk.

      I'm assuming that this will also happen on Intranet sites, behind Firewalls - be it production, development, or test instances.

      I couldn't find a SPA component here, assuming that this is SPA related and not sure if I should file a security/information disclosure issue, or if there's a better explanation for it.

      And answer that these scripts currently don't collect any data from localhost is not sufficient, as they're fetched from the internet and might change any time.




            • Assignee:
              support-lep@liferay.com SE Support
              olaf.kock Olaf Kock
              Participants of an Issue:
              Recent user:
              Olaf Kock
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created:
                Days since last comment:
                45 weeks, 6 days ago


                Version Package