Configure Content Security Policy Header Values for ThingWorx Navigate
To improve the security posture of ThingWorx customers, ThingWorx Platform has added the Content Security Policy (CSP). CSP is a key security tool web browsers use to help secure against cross-site scripting (XSS), Clickjacking, and other data injection attacks. CSP works by injecting CSP headers from the ThingWorx Platform into the web browser to control what dynamic data and resources the browser can load and from what domains. Resource requests from outside the allowed domain cannot load into the browser. Review the
Content Security Policy section from the ThingWorx Platform documentation for detailed information on enabling and disabling CSP, configuring CSP header values, CSP default settings, and other details.
When the CSP filter is turned on, that is when the EnableContentSecurityPolicyFilter is set to true, CSP directives need to be configured for ThingWorx Navigate out-of-the-box tasks to work. Perform the following steps in ThingWorx Composer to configure these directives:
1. In ThingWorx Composer, navigate to > .
2. Select the Content Security Policy Rules tab.
3. From the directives listed in the Content Security Policy Directives table, edit the connect-src and img-src directives. Select the respective directive to open the Edit Directive window for that directive.
4. In the
Allowed field, add the value of the domain you want to include (for instance,
https://WINDCHILL_HOST) and click
Save. Perform this step for both
connect-src and
img-src directives. Refer to the "Editing Directives" section from the
Configuring Content Security Policy Header Values topic for details.