Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-85032

Marketplace portlet leaves external JS resources running on localhost installations

    Details

    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.1.10 DXP GA1
    • Fix Version/s: None
    • Component/s: App Management
    • Labels:
      None

      Description

      When I navigate to Marketplace on a demo installation on localhost, I'm getting the MP content from liferay.com - including the script code included on there. So far, this is expected.

      However, it seems that due to SPA, their code stays active once I navigate away from Marketplace. My scripting plugins still show both decibelinsight and newrelic code present and blocked/blockable until I reload the full page - just navigating isn't enough.

      Due to the nature of decibelinsight and newrelic (as far as I understand their business) they might collect information about the sites that their scripts are running on, which is probably unexpected and might pose a legal risk.

      I'm assuming that this will also happen on Intranet sites, behind Firewalls - be it production, development, or test instances.

      I couldn't find a SPA component here, assuming that this is SPA related and not sure if I should file a security/information disclosure issue, or if there's a better explanation for it.

      And answer that these scripts currently don't collect any data from localhost is not sufficient, as they're fetched from the internet and might change any time.

        Attachments

          Activity

            People

            • Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              olaf.kock Olaf Kock
              Participants of an Issue:
              Recent user:
              Olaf Kock
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Days since last comment:
                45 weeks, 6 days ago

                Packages

                Version Package