Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Monaco Editor does not work on ThingWorx 9.3.17-b2768 with CSP enabled #57

Open
NicciZar opened this issue Sep 18, 2024 · 4 comments
Open

Monaco Editor does not work on ThingWorx 9.3.17-b2768 with CSP enabled #57

NicciZar opened this issue Sep 18, 2024 · 4 comments
Assignees
@stefan-lacatus

Comments

@NicciZar
Copy link

After updating to version ThingWorx 9.3.17-b2768 PTC enforces usage of their ContentSecurityPolicy found within PlatformSubsystem.
It seems like the default settings makes it impossible for MonacoEditor to load the newComposer.bundle.js file.

CSP is a key security tool web browsers use to help secure against cross-site scripting (XSS), Clickjacking, and other data injection attacks. CSP works by injecting CSP headers from the ThingWorx Platform into the web browser to control what dynamic data and resources the browser can load and from what domains.

https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/ContentSecurityPolicy.html

It is configurable from within Thingworx but I am unsure which exact setting is the correct one.
@stefan-lacatus stefan-lacatus self-assigned this Oct 1, 2024
@JanKerkhofs
Copy link

JanKerkhofs commented Oct 24, 2024
edited
Loading

We've just updated to ThingWorx 9.6.1 and also noticed this problem coming from 9.3.9.
It can be solved by adding following Content Security Policy Rules (configurable in PlatformSubsystem):

You can manually Restart the entity and after some minutes your environment should be using these modified rules (Shift + f5).

Hope this helps 🤞

@NicciZar
Copy link
Author

NicciZar commented Oct 28, 2024
edited
Loading

Thank you for sharing your experience!

I tried using your values and checked if the CSP has been modified using https://csp-evaluator.withgoogle.com/

sadly, it does not seem to be working for me
This is the configuration that is being shown by csp-evaluator:

connect-src 'self';
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cnd.jsdelivr.net/npm/;
object-src 'self';
worker-src 'self' blob:;
frame-src 'self' tw-ra-client:;
media-src 'self';
frame-ancestors 'self';
img-src 'self' data:;
default-src 'self';
font-src 'self' https://cnd.jsdelivr.net/npm/

@JanKerkhofs
Copy link

JanKerkhofs commented Oct 28, 2024
edited
Loading

Hi NicciZar,
I have made a typo in my first answer.
It should be cdn.js.... instead of cnd.js... for both script-src and font-src
Changes to the PlatformSubsystem can take a couple of minutes to take effect.

@NicciZar
Copy link
Author

Hi JanKerkhofs,

thank you! This works!

Maybe this should be added to the Readme of the Addon so other users can configure their TWX CSP accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stefan-lacatus stefan-lacatus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefan-lacatus @NicciZar @JanKerkhofs