Monaco Editor does not work on ThingWorx 9.3.17-b2768 with CSP enabled

ptc-iot-sharing / MonacoEditorTWX

Replace the default script editor in thingworx with the one from Visual Studio Code

30 stars 9 forks source link

Monaco Editor does not work on ThingWorx 9.3.17-b2768 with CSP enabled #57

Open NicciZar opened 1 month ago

NicciZar commented 1 month ago

After updating to version ThingWorx 9.3.17-b2768 PTC enforces usage of their ContentSecurityPolicy found within PlatformSubsystem. It seems like the default settings makes it impossible for MonacoEditor to load the newComposer.bundle.js file.

CSP is a key security tool web browsers use to help secure against cross-site scripting (XSS), Clickjacking, and other data injection attacks. CSP works by injecting CSP headers from the ThingWorx Platform into the web browser to control what dynamic data and resources the browser can load and from what domains.

https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/ContentSecurityPolicy.html

It is configurable from within Thingworx but I am unsure which exact setting is the correct one.

JanKerkhofs commented 2 days ago

We've just updated to ThingWorx 9.6.1 and also noticed this problem coming from 9.3.9. It can be solved by adding following Content Security Policy Rules (configurable in PlatformSubsystem):

font-src https://cnd.jsdelivr.net/npm/
script-src https://cnd.jsdelivr.net/npm/
worker-src blob:

You can manually Restart the entity and after some minutes your environment should be using these modified rules (Shift + f5).

Hope this helps 🤞