Disable loading external script - Pendo.io

Hey all,

I was playing around with the CMS on my machine when my wifi dropped out. For some reason the CMS kept hanging on an external script that was trying to load. Looking into it more, some kind of logging/analytics script is being loaded out-of-the-box by the navapp belonging to this site: https://www.pendo.io/.

The script being loaded:

!function(e, n, t, a, i) {
    var c, o, s, d, p;
    for ((i = e[a] = e[a] || {})._q = [],
    o = 0,
    s = (c = ["initialize", "identify", "updateOptions", "pageLoad"]).length; o < s; ++o)
        !function(e) {
            i[e] = i[e] || function() {
                i._q[e === c[0] ? "unshift" : "push"]([e].concat([].slice.call(arguments, 0)))
    (d = n.createElement(t)).async = !0,
    d.src = "https://cdn.pendo.io/agent/static/e65bf8ab-aad1-48b6-521a-3f558e16c979/pendo.js",
    (p = n.getElementsByTagName(t)[0]).parentNode.insertBefore(d, p)
}(window, document, "script", "pendo");
//# sourceMappingURL=scripts.6cc58785376a86301f9b.js.map

Reading the code it seems like I could remove scripts.6cc58785376a86301f9b.js from angular/navapp/filelist.json in the hippo-cms-engine jar to make it not load, but I wouldn’t want to overlay that webfragment every release.

It would be great to be able to disable this script being loaded by default, is there a configuration for that anywhere?

In general, I would say that a product such as this, should strive to minimise its external dependencies so that when they are deployed in restricted environments (either by design or not) they can work predictably. Not to mention the apprehension some people (or security teams) might have regarding their backends reaching out to not necessarily trusted 3rd party sites. But maybe that’s just me.

Please let me know if I’m missing or misunderstanding something, keen to hear back from you.




Pendo is used in our CMS Usage Statistics functionality. For more information, and how to disable, see


Hi Jeroen,

Thanks for the link! I had accidentally stumbled across that option previously and disabled it. However, even if it is disabled the script still loads – I guess the behaviour is for it to not send any information if it’s disabled.

For now I’m overriding the filelist.json to exclude script.js from rendering, but it’s not ideal.

Thanks again, I appreciate you getting back to me!