search

thingworx-field-work / MonacoEditorTWX

Replace the default script editor in thingworx with the one from Visual Studio Code
32 stars 9 forks source link

Monaco Editor does not work on ThingWorx 9.3.17-b2768 with CSP enabled #57

Open NicciZar opened 2 months ago

NicciZar commented 2 months ago

After updating to version ThingWorx 9.3.17-b2768 PTC enforces usage of their ContentSecurityPolicy found within PlatformSubsystem. It seems like the default settings makes it impossible for MonacoEditor to load the newComposer.bundle.js file.

CSP is a key security tool web browsers use to help secure against cross-site scripting (XSS), Clickjacking, and other data injection attacks. CSP works by injecting CSP headers from the ThingWorx Platform into the web browser to control what dynamic data and resources the browser can load and from what domains.

https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/ContentSecurityPolicy.html

It is configurable from within Thingworx but I am unsure which exact setting is the correct one.

JanKerkhofs commented 1 month ago

We've just updated to ThingWorx 9.6.1 and also noticed this problem coming from 9.3.9. It can be solved by adding following Content Security Policy Rules (configurable in PlatformSubsystem):

You can manually Restart the entity and after some minutes your environment should be using these modified rules (Shift + f5).

Hope this helps 🤞

NicciZar commented 4 weeks ago

Thank you for sharing your experience!

I tried using your values and checked if the CSP has been modified using https://csp-evaluator.withgoogle.com/

sadly, it does not seem to be working for me This is the configuration that is being shown by csp-evaluator:

connect-src 'self';
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cnd.jsdelivr.net/npm/;
object-src 'self';
worker-src 'self' blob:;
frame-src 'self' tw-ra-client:;
media-src 'self';
frame-ancestors 'self';
img-src 'self' data:;
default-src 'self';
font-src 'self' https://cnd.jsdelivr.net/npm/
JanKerkhofs commented 4 weeks ago

Hi NicciZar, I have made a typo in my first answer. It should be cdn.js.... instead of cnd.js... for both script-src and font-src Changes to the PlatformSubsystem can take a couple of minutes to take effect.

NicciZar commented 4 weeks ago

Hi JanKerkhofs,

thank you! This works!

Maybe this should be added to the Readme of the Addon so other users can configure their TWX CSP accordingly.