Vendor Permissions
Control what each vendor's scripts can do on your site. Learn what every permission covers and what blocking it prevents.
The Dependencies view in the cside dashboard lists every vendor and domain delivering scripts to your site. Open a vendor to see its permission grid: a set of Allow and Block toggles that control what that vendor’s scripts can do in your users’ browsers.
This page explains each permission, what it covers, and what blocking it prevents.
How permissions work
Each permission has three states:
- Allow (green check): the vendor’s scripts can use this capability.
- Block (red shield): cside prevents the vendor’s scripts from using this capability.
- Unset (default): the vendor keeps its normal behavior and cside keeps monitoring what it does.
Permissions apply per vendor, for your whole team. When a script is not matched to a known vendor, you can set the same permissions on its domain instead.
When you block a permission, cside enforces your decision in the browser. Blocked attempts are still recorded, so you can see what a vendor tried to do after you locked it down.
Think of permissions as least privilege for third parties: each vendor only gets the capabilities it needs to do its job.
Resources
These permissions control what a vendor’s scripts can load, embed, or run on your pages.
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Create and execute dynamic scripts | Loading additional code at runtime with script tags | Stops the vendor from pulling in new, unreviewed code after the page loads. This is how a compromised vendor typically escalates an attack. |
| Network Requests | Making fetch and XHR network requests | Stops the vendor from sending data out of the browser to its own servers. This is the main channel for data exfiltration. |
| Frames | Embedding iframes and frames | Stops hidden iframe overlays, fake login prompts, and clickjacking-style UI injection. |
| Objects | Embedding plugins and objects | Stops legacy plugin content (<object> and <embed> tags), an old but still abused injection path. |
| Workers | Running web workers and service workers | Stops background scripts that run out of sight, intercept requests, or keep working after the user leaves the page. |
| Media | Loading audio and video content | Stops unwanted audio or video loads, including media used for tracking or ad fraud. |
| Stylesheets | Loading external stylesheets | Stops style injection that can hide page elements, overlay fake UI, or leak typed data through CSS selectors. |
| Prefetch | Prefetching resources | Stops speculative loading of vendor resources, which can leak browsing signals before a user interacts. |
| Manifest | Loading web app manifests | Stops the vendor from supplying a manifest that changes how your site installs or behaves as an app. |
| Images | Loading external images | Stops image loads, including tracking pixels: tiny images used to beacon data out. |
| Fonts | Loading external fonts | Stops font loads from the vendor, a quiet channel for tracking and fingerprinting. |
Sensitive APIs
These permissions control access to device hardware through the browser.
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Camera | Access to the device camera | Stops scripts from requesting camera access, so users never see a prompt they might accept by mistake. |
| Screen Capture | Capturing screen or window contents | Stops scripts from requesting screen recording, which can expose anything visible on the user’s display. |
| Geolocation | Access to the device location | Stops scripts from requesting your users’ physical location. |
| Microphone | Access to the device microphone | Stops scripts from requesting microphone access and recording audio. |
Storage
These permissions control access to data stored in the browser.
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Cookies | Reading or writing cookies | Stops the vendor from reading session identifiers or tokens, and from planting its own tracking cookies. |
| Local Storage | Reading or writing localStorage | Stops access to persisted data, which often includes user identifiers and cached personal information. |
| Session Storage | Reading or writing sessionStorage | Stops access to per-tab session data, such as in-progress checkout state. |
| IndexedDB | Access to IndexedDB databases | Stops access to structured browser databases, where applications often cache larger sets of user data. |
Events
These permissions control whether a vendor can observe how users interact with your pages.
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Click Events | Listening to click events | Stops click tracking across your pages, including capture of what users tap and select. |
| Keyboard Events | Listening to keyboard events | Stops keylogging. A script listening to keystrokes can capture everything a user types, including credentials and card numbers. |
Forms Permissions
These permissions control which form fields a vendor’s scripts can read. They are central to preventing form data theft, including Magecart-style skimming, and support PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 for payment pages.
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Form Access | Access to form elements and data | The general form permission. Blocking stops the vendor from reading form fields not covered by a more specific permission below. |
| Email Fields | Email input fields | Stops harvesting of email addresses your users type. |
| File Uploads | File input fields | Stops access to files users attach, such as ID documents or statements. |
| Password Fields | Password input fields | Stops credential harvesting from login and signup forms. |
| Hidden Fields | Hidden form fields | Stops reading of hidden inputs, which often hold session tokens, CSRF tokens, or internal IDs. |
| Address Fields | Address input fields | Stops collection of home and shipping addresses. |
| Search Fields | Search input fields | Stops capture of what users search for on your site. |
| Phone Fields | Telephone input fields | Stops harvesting of phone numbers. |
| URL Fields | URL input fields | Stops reading of URLs users enter into forms. |
| Name Fields | Name input fields | Stops collection of personal names. |
| One-Time Login | One-time login fields | Stops theft of one-time passcodes, which attackers use to defeat MFA. |
| Birthday Fields | Date-of-birth fields | Stops collection of birth dates, a key identity theft data point. |
| Sex/Gender Fields | Sex and gender input fields | Stops collection of sensitive demographic data. |
| Credit Card Fields | Credit card input fields | Stops card skimming: scripts reading card numbers as users type them at checkout. |
Other
| Permission | What it covers | What blocking prevents |
|---|---|---|
| Notifications | Sending push notifications | Stops notification prompts and push spam from the vendor. |
| Full Screen | Requesting full-screen mode | Stops full-screen takeovers used to imitate browser UI in phishing overlays. |
| Payment API | Access to the Payment Request API | Stops the vendor from invoking the browser’s payment sheet or probing payment capabilities. |
| History API | Manipulating browser history | Stops URL manipulation that can disguise the page a user is really on or trap the back button. |
| Clipboard | Reading from or writing to the clipboard | Stops scripts from reading what users copied elsewhere, such as passwords or wallet addresses, and from clipboard hijacking, such as swapping a copied payment address for an attacker’s. |
Choosing what to block
You don’t need to make 40 decisions per vendor on day one. A practical approach:
- Start with capabilities the vendor has no business using. Most vendors never require keyboard events, password fields, credit card fields, or the clipboard. Blocking those rarely affects functionality.
- Check the vendor’s recorded behavior. The Dependencies view shows what each vendor actually does on your site. If a vendor has never used a capability, blocking it carries low risk.
- Lock down the pages where the data is. On checkout and login flows, prioritize the forms permissions and Keyboard Events.
- Watch reports after blocking. Blocked attempts are still recorded. A vendor repeatedly attempting something you blocked is worth investigating.
If you don’t see Dependencies in your dashboard yet, it is rolling out gradually. Contact support@cside.dev to enable it for your team.
Related pages
- Threat Detection: how cside identifies malicious scripts automatically
- Vulnerability Detection: how cside flags scripts with known vulnerabilities
- PCI DSS / PCI Shield: payment page script requirements
- Audit Logs: track configuration changes made by your team
Thanks for your feedback!