Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

CQ External component 'adaptive' inclusion mode

Avatar

Level 2
Level 2
10/15/15 7:26:41 PM

Hi,

In CQ 5.5 the external component allowed inclusion of 3rd party content rendered in the same CQ page using 'adaptive' inclusion mode - as described here. However, it looks like this has been removed in CQ 5.6.1 - the same component just has the iframe mode as described here.

However, the underlying Java class that pulled in the external content for adaptive mode is still in the cq-wcm-foundation jar - com.day.cq.wcm.foundation.impl.Rewriter.

So my question is :

1. Why was adaptive inclusion mode removed from the External component ?

2. Should we not replicate the behaviour ourselves ? It seems like a good alternative to iFrames for 3rd party web site inclusion.

Jon.

Views

1.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:26:41 PM

Adaptive mode basically puts a "do what you like" tool in the hands of an average author who can use it to add unfiltered, unencoded markup to an otherwise controlled environment - this makes a site susceptible to XSS, phishing, clickjacking and more attacks. even if the author is considered internal, a compromised 3rd party system embedded via external component can add the same risks. These issues were discussed at length between EM and PM, and the security concerns led to the final decision to disable adaptive mode.

View solution in original post

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:26:41 PM

Adaptive mode basically puts a "do what you like" tool in the hands of an average author who can use it to add unfiltered, unencoded markup to an otherwise controlled environment - this makes a site susceptible to XSS, phishing, clickjacking and more attacks. even if the author is considered internal, a compromised 3rd party system embedded via external component can add the same risks. These issues were discussed at length between EM and PM, and the security concerns led to the final decision to disable adaptive mode.

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Missing vanityurls-components package in software distribution Solved

Views

120

Likes

0

Replies

3
In AEmaaCS CSS not applying to experience fragments in author mode. Solved

Views

111

Likes

0

Replies

2
CSS for Experience Fragments Not Applying in AEM Author Mode and "View as Published" Solved

Views

171

Likes

0

Replies

4
Enable JSON+LD Components in few pages Solved

Views

219

Likes

0

Replies

3
Issue when using experience fragment component on a page

Views

128

Likes

0

Replies

7