Content Security Policy
To improve the security posture of ThingWorx customers, we added Content Security Policy (CSP) to the ThingWorx Platform beginning with ThingWorx 9.3.15, 9.4.5, and 9.5.1.
CSP
CSP is a key security tool web browsers use to help secure against cross-site scripting (XSS), Clickjacking, and other data injection attacks. CSP works by injecting CSP headers from the ThingWorx Platform into the web browser to control what dynamic data and resources the browser can load and from what domains. Resource requests from outside the allowed domain cannot load into the browser.
Examples of controlled resources include:
• Loading fonts, images, and JavaScript libraries
• Rendering content from a foreign source in an iFrame on a ThingWorx mashup
• Rendering ThingWorx page content in an iFrame on a foreign page, such as rendering a ThingWorx mashup in Windchill page
The administrator configures CSP directives through ThingWorx Composer. The CSP header is a combination of all directives and constitutes the CSP policy. The CSP header is limited to 1200 characters.
ThingWorx has implemented Content Security Policy Level 2. For more information about CSP, see the following:
Composer
Main Page Banner
To alert administrators to this new security functionality and warn them that it is not enabled, ThingWorx Composer displays a non-blocking warning banner Content Security Policy (CSP) is not enabled. For more information, see the help center. at the top of the Composer.
This banner will only appear if CSP is not enabled and will only appear for administrators. Administrators can dismiss the warning for themselves so it won’t appear in future logins. Other administrators will still receive the banner until they dismiss it. The banner includes a help center link to the Content Security Policy topic.
Configuring CSP
Administrators will configure CSP through the Content Security Policy Rules subpage on the Platform Subsystem. On this page, administrators can add and modify directives that define the policy. For more information, see
Configuring Content Security Policy Header Values
Enabling CSP
CSP is enabled by setting a new parameter in platform-settings.json: “EnableContentSecurityPolicyFilter”: true.
If "EnableContentSecurityPolicyFilter" is set to true, CSP protection is enabled. If "EnableContentSecurityPolicyFilter" is set to false or not included in platform-settings.json, CSP is disabled.
Instructions for installing and upgrading are found in the
Installation and Upgrade section of the help center.
New ThingWorx Platform Installation with CSP Filter
• Manual installation
• ThingWorx Foundation installer
Upgrade ThingWorx to Versions that Support CSP
For maintenance release upgrade, see
Maintenance Release Upgrade.
For Windows manual upgrade, see the following:
For Linux manual upgrade, see the following:
For ThingWorx Foundation installer upgrade, see
Installer Upgrade.
Enable/Disable CSP on an Existing Environment
To Enable/Disable CSP on an existing environment, perform the following steps:
1. Set the EnableContentSecurityPolicyFilter flag to true in the BasicSettings section under PlatformSettingsConfig of platform-settings.json.
2. Restart the Tomcat server.
|
At ThingWorx startup, ClickjackFilter configurations from web.xml are automatically migrated to CSP if all of the following conditions are met:
• CSP filter is turned on.
• Clickjack filter has been configured in web.xml.
• CSP filter is not already configured by ThingWorx administrators in ThingWorx Composer.
|
Migrating ClickjackFilter Settings to CSP
At ThingWorx startup, ClickjackFilter configurations are automatically migrated to CSP if the following conditions are met:
• Content Security Policy Filter is turned on, which means EnableContentSecurityPolicyFilter is set to true.
• Clickjack Filter has been configured using web.xml.
• CSP filter is not already configured from the UI.
ClickjackFilter can be configured in one of the following three modes: SAMEORIGIN, DENY, and ALLOWLIST.
• If ClickjackFilter was configured to SAMEORIGIN, nothing is migrated since that is the CSP default configuration for frame-ancestors.
<filter>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<filter-class>com.thingworx.security.filter.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
• If ClickjackFilter was configured to DENY, CSP header frame-ancestors will be configured to 'none'.
<filter>
<filter-name>ClickjackFilterDeny</filter-name>
<filter-class>com.thingworx.security.filter.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
• If ClickjackFilter was configured to ALLOWLIST, CSP headers frame-ancestors and frame-src will be configured to allow the configured domains.
<filter>
<filter-name>ClickjackFilterAllowList</filter-name>
<filter-class>com.thingworx.security.filter.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>ALLOWLIST</param-value>
</init-param>
<init-param>
<param-name>domains</param-name>
<param-value>http://example.com</param-value>
</init-param>
</filter>
<filter>
<filter-mapping>
<filter-name>ClickjackFilterAllowList</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>