Disable loading external script - Pendo.io

Hey all,

I was playing around with the CMS on my machine when my wifi dropped out. For some reason the CMS kept hanging on an external script that was trying to load. Looking into it more, some kind of logging/analytics script is being loaded out-of-the-box by the navapp belonging to this site: https://www.pendo.io/.

The script being loaded:

!function(e, n, t, a, i) {
    var c, o, s, d, p;
    for ((i = e[a] = e[a] || {})._q = [],
    o = 0,
    s = (c = ["initialize", "identify", "updateOptions", "pageLoad"]).length; o < s; ++o)
        !function(e) {
            i[e] = i[e] || function() {
                i._q[e === c[0] ? "unshift" : "push"]([e].concat([].slice.call(arguments, 0)))
    (d = n.createElement(t)).async = !0,
    d.src = "https://cdn.pendo.io/agent/static/e65bf8ab-aad1-48b6-521a-3f558e16c979/pendo.js",
    (p = n.getElementsByTagName(t)[0]).parentNode.insertBefore(d, p)
}(window, document, "script", "pendo");
//# sourceMappingURL=scripts.6cc58785376a86301f9b.js.map

Reading the code it seems like I could remove scripts.6cc58785376a86301f9b.js from angular/navapp/filelist.json in the hippo-cms-engine jar to make it not load, but I wouldn’t want to overlay that webfragment every release.

It would be great to be able to disable this script being loaded by default, is there a configuration for that anywhere?

In general, I would say that a product such as this, should strive to minimise its external dependencies so that when they are deployed in restricted environments (either by design or not) they can work predictably. Not to mention the apprehension some people (or security teams) might have regarding their backends reaching out to not necessarily trusted 3rd party sites. But maybe that’s just me.

Please let me know if I’m missing or misunderstanding something, keen to hear back from you.




Pendo is used in our CMS Usage Statistics functionality. For more information, and how to disable, see


Hi Jeroen,

Thanks for the link! I had accidentally stumbled across that option previously and disabled it. However, even if it is disabled the script still loads – I guess the behaviour is for it to not send any information if it’s disabled.

For now I’m overriding the filelist.json to exclude script.js from rendering, but it’s not ideal.

Thanks again, I appreciate you getting back to me!



Hi Marnix,

I’m encountering the same issue while upgrading to Hippo 14. Could you please tell me where the filelist.json should be placed in order to overwrite the original one? (I’ve tried some locations, but no luck so far). :roll_eyes:


Because the hippo-cms-engine jar seems to be structured like a webfragment (servlet 3.0 spec stuff), the public facing assets in that webfragment are subject to the resource finding rules that apply to webfragments. Which means that you can serve up a different file from the main project when you put it in the cms module at: src/main/java/resources/angular/navapp/filelist.json.

So now, when the browser requests filelist.json, it won’t serve the file from the webfragment, but from the main resources folder. The contents of mine looks like this:

  "main.js": "main.39766d137d76941d6d26.js",
  "polyfills.js": "polyfills.b3b4640e1e6332436593.js",
  "runtime.js": "runtime.a8ef3a8272419c2e2c66.js",
  "styles.css": "styles.62262ab71bf6a5cbb667.css"

But depending on your version the hashes may have to be different (which is the downside of this approach). I’d still much prefer the script not being loaded at all when the sending usage statistics has been disabled. It’d be wise to document this somewhere as a step to consider when updating between versions.

Hope that helps!



Thanks a bunch! Worked like a charm.