Advanced Customization > Business Logic Customization > ThingWorx > Adding a ThingWorx Mashup to Windchill > ThingWorx ClickJack Support
  
ThingWorx ClickJack Support
Clickjacking is when an attacker uses a frame to display a site and applies one or more invisible layers over the site, tricking the user into thinking they are clicking on one thing when they are actually clicking on the something in the invisible layer. A defense against Clickjacking utilizes response headers from the server that tell the browser whether it is ok to frame the page. Because of compliance differences in browsers, two different headers must be used to indicate domains allowed to frame. These two headers (X-Frame-Options and Content-Security-Policy) are described below. ThingWorx utilizes both of these headers, enabling the administrator to configure to disallow all framing, only allow framing from its own origin, or allow framing from a specific domain.
Header Descriptions
The two headers used to combat Clickjacking are X-Frame-Options and Content-Security-Policy.
The Content Security Policy Level 2, which contains frame-ancestors, is supported by the current version of all browsers except Internet Explorer, Edge, Opera Mini, and only partially supported as of Firefox 52. A full list can be found at: http://caniuse.com/#feat=contentsecuritypolicy2. The X-Frame-Options Allow-From header is supported in Internet Explorer as of version 8 and Firefox as of version 18, but is not supported by Chrome, Safari, or Opera. A list of supported browsers can be found at: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations
X-Frame-Options
DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM http://example.com - The page can only be displayed in a frame on the specified origin.
Content-security-policy
frame-ancestors ‘none’ - Prevents loading resources in a frame from any origin.
frame-ancestors ‘self’ - Allows loading resources in a frame but only from the same origin.
frame-ancestors domain1.com domain2.com - Allows loading resources in a frame but only from domains in the given list.
ThingWorx Support
Configuration
ThingWorx will support both headers through the use of a Http request filter. The administrator will be able to enable or disable one of three filters: ClickjackFilterDeny, ClickjackFilterSameOrigin, and ClickjackFilterWhiteList by uncommenting one of the three filter mappings in the web.xml file of the ThingWorx application.
For example:
<!-- use the Deny version to exclude all framing -->
<!--
<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- use the SameOrigin version to allow your application to frame, but nobody else -->
<!--
<filter-mapping>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- use the WhiteList version to allow framing from specified domains -->
<filter-mapping>
<filter-name>ClickjackFilterWhiteList</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
No other configuration is needed for the ClickjackFilterDeny or the ClickjackFilterSameOrigin. If the administrator chooses to use the ClickjackFilterWhiteList, they must add the accepted domains in the filters “domains” parameter value.
For example:
<filter>
<filter-name>ClickjackFilterWhiteList</filter-name>
<filter-class>com.thingworx.security.filter.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>WHITELIST</param-value>
</init-param>
<init-param>
<param-name>domains</param-name>
<param-value>http://media-pc:8080
http://192.168.152.133:8080 http://domainY.com</param-value>
</init-param>
</filter>
The given domains must be in the format shown, a space separated list which includes the scheme (http).
* 
There is a restriction to the Allow-From header. It will only allow a single domain.