Content Security Policy — Default Header Settings

ThingWorx Model Definition in Composer > Security > Content Security Policy > Content Security Policy — Default Header Settings

CSP Header Values — Default Settings

The following CSP header values are default with ThingWorx. For more information on how administrators can update CSP header configuration, see Configuring Content Security Policy Header Values.

Header

Default Setting

Notes

default-src

‘self’

Allows you to specify the default of fallback resources that can be loaded or fetched on the page, such as script-src, style-src, and so on.

connect-src

‘self’

Guards several browser mechanisms that can fetch HTTP requests. This includes XMLHttpRequest (XHR/AJAX), WebSocket, fetch(), <a ping>, or EventSource.

font-src

‘self’

Guards loading of fonts using @font-face.

frame-ancestors

‘self’

Allows you to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive, you can allow or block a page from being placed within a frame or iframe.

If Clickjack Filtering was configured in web.xml and migration to CSP occurred, frame-ancestor is set to 'self' and the allow list is defined in Clickjack Filter.

frame-src

‘self’ tw-ra-client:

Controls loading of frames. For example, using an <iframe> HTML tag within an HTML document.

img-src

‘self’

Guards loading of images. For example, using an <img> HTML tag.

media-src

‘self’

Guards loading of audio and video. For example, HTML5 <audio> and <video> elements.

object-src

‘self’

Specifies the valid sources for the <object> and <embed> elements. This includes browser plugin features such as Flash, Java, and ActiveX controls.

When defining the value for object-src ThingWorx does not augment the default value with an Allowed value; instead the Allowed value replaces the default value. Additionally, if ‘none’ is included in the Allowed value, it overrides any other value, so 'none' is the final value for object-src. See Editing Directives in Configuring Content Security Policy Header Values.

script-src

‘self’ ‘unsafe-eval’ ‘unsafe-inline’

Guards the loading and execution of JavaScript.

style-src

‘self’ 'unsafe-inline’

Guards the loading and execution of CSS styles and stylesheets.

worker-src

‘self’

This note pertains to object-src.

Typically, when modifying a CSP directive, the default setting and the new setting(s) are combined so the value injected into the CSP header includes the default plus the new setting. For example, frame-ancestors defaults to 'self'. If you update the frame-ancestors configuration to include https://*.somedomain.com, then the final header value is 'self' ‘https://*.somedomain.com’.

To enable settings object-src to 'none', it behaves differently. Instead, the update replaces the default value when augmenting the default setting with the administrator's update. For example, the default setting for object-src is 'self'. If you update object-src to https://*.somedomain.com, the directive sent to CSP will only be https://*.somedomain.com. If you want 'self' included, you must explicitly configure object-src to ‘https://*.somedomain.com' 'self’. If your object-src configuration includes 'none', it will override any other settings. Therefore, 'self' 'none' is effectively 'none'.

Was this helpful?