Domain name format | CSP Visual Embed host | CSP connect-src | CORS | CSP font-src CSP style-src CSP img-src |
---|---|---|---|---|
Domain URL strings without protocol
| β Supported | β Supported | β Supported | β Supported |
Domain URL strings for localhost
| β Supported | β Supported | β Supported | β Supported |
Domain URL strings without port
If your domain URL has a non-standard port, for example | β Supported | β Supported | β Supported | β Supported |
Wildcard ( | β Supported | β Supported | x Not supported | β Supported |
Wildcard (*) before the domain name extension | x Not supported | x Not supported | x Not supported | x Not supported |
Plain text string without the domain name extension.
| x Not supported | x Not supported | x Not supported | x Not supported |
Domain name with wildcard (*) and a leading dot
| x Not supported | x Not supported | β Supported To avoid domain validation errors, make sure you add an escape character | x Not supported |
Wildcard before the domain name
| β Supported | β Supported | x Not supported | β Supported |
Domain names with space, backslash (\), and wildcard (*).
| x Not supported | x Not supported | x Not supported | x Not supported |
URLs with query parameters | x Not supported | x Not supported | x Not supported | x Not supported |
URLs with path parameters | β Supported | β Supported | x Not supported | β Supported |
URLs with path and query parameters | x Not supported | x Not supported | x Not supported | x Not supported |
IPv4 addresses | β Supported | β Supported | β Supported | β Supported |
Semicolons as separators | x Not supported | x Not supported | x Not supported | x Not supported |
Comma-separated values | β Supported | β Supported | β Supported | β Supported |
| x Not supported | x Not supported | x Not supported | x Not supported |
Wildcard (*) for port
| β Supported | β Supported | β Supported | β Supported |
Security settings
The Security Settings page in ThoughtSpot UI allows administrators and developers to configure Content Security Policy (CSP), Cross-origin resource sharing (CORS), authentication, and access control settings.
Note
|
The following settings on the Security Settings page appear as locked for ThoughtSpot Analytics application users. These settings apply to ThoughtSpot embedding and require an embedding license: |
Security settings for ThoughtSpot embeddingπ
Most web browsers block cross-site scripting, cross-domain requests, and third-party cookies by default. Web browsers also have built-in security mechanisms such as same-origin and content security policies. These policies restrict how applications and scripts from one origin (domain) can interact with the resources hosted on another origin (domain). If you are embedding ThoughtSpot content in your application page, you can choose to implement cookieless authentication. If using cookie-based authentication, make sure to configure CORS settings.
Add CSP visual embed hostsπ
To allow your host domain to set the frame-ancestors
CSP policy header and embed a ThoughtSpot object within your application frame, add your application domain as a CSP visual embed host.
-
Log in to your ThoughtSpot application instance.
-
For classic experience, click Develop.
If you are using the new experience, click the Application switcher > Developer.
-
Go to Customizations > Security settings.
-
Click Edit.
-
In the CSP visual embed hosts text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Note
|
Only users with valid embed license can add Visual Embed hosts. |
Add URLs to CSP connect-src allowlistπ
If you plan to create custom actions with URL targets, you must add the domain names of these URLs to the CSP connect-src
allowlist. This allows JavaScript events triggered by the custom action URLs.
-
Log in to your ThoughtSpot application instance.
-
For classic experience, click Develop.
If you are using the new experience, click the Application switcher > Developer.
-
Go to Customizations > Security settings.
-
Click Edit.
-
In the CSP connect-src domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Enable CORSπ
The CORS configuration for your cluster controls which domains can access and modify your application content. To allow your application to call ThoughtSpot or its REST API endpoints, and request resources, you must add your application domain to the CORS allowlist. For example, if your website is hosted on the example.com
domain and the embedded ThoughtSpot content is hosted on the example.thoughtspot.com
, you must add the example.com
domain to the CORS allowlist for cross-domain communication. You can also add http://localhost:8080
to the CORS allowlist to test your deployments locally. However, we recommend that you disable localhost
access in production environments.
If you enable CORS for your application domain, ThoughtSpot adds the Access-Control-Allow-Origin
header in its API responses when your host application sends a request to ThoughtSpot.
To add domain names to the CORS allowlist, follow these steps:
-
Log in to your ThoughtSpot application instance.
-
For classic experience, click Develop.
If you are using the new experience, click the Application switcher > Developer.
-
Under Customizations > Security settings.
-
Click Edit.
-
In the CORS whitelisted domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Add trusted domains to CSP allowlistsπ
To import images, fonts, and stylesheets from external sites, or load the content from an external site using an iFrame element, you must add the source URLs as trusted domains in the CSP allowlist. For example, in the Liveboard Note tiles, if you want to insert an image from an external site or embed content from an external site in an iFrame, you must add domain URLs of these sites to the CSP allowList. Similarly, to import fonts and custom styles from an external source, you must add the source URL as a trusted domain in ThoughtSpot.
The following CSP settings are available on the Develop > Customizations > Security Settings page:
-
CSP img-src domains
Add the domains from which you want to load images and favicons. -
CSP font-src domains
Add the domains from which you want to load fonts. -
CSP style-src domains
Add the domains from which you want to load stylesheets. -
CSP frame-src domains
Add the iframe source URL domains.
Note
|
If your application instance has Orgs, the CSP settings can be configured only at the cluster level. |
Domain name format for CSP and CORS configurationπ
Important
|
Note the following points if using port or protocol in the domain name string:
|
The following table shows the valid domain name strings for the CORS and CSP allowlists.
Block access to non-embedded ThoughtSpot pagesπ
For information on restricting access to non-embedded ThoughtSpot content for embedded users, see Control User Access.