Integrate external tools and allow custom scripts

Integrate external tools and allow custom scripts

ThoughtSpot supports integrating third-party apps such as Mixpanel, Pendo, LogRocket, and more in your embed. If you are using third-party tools to track usage, trace, log, or onboard your application users, you can seamlessly integrate these tools with ThoughtSpot embed and add custom JavaScripts. This feature is disabled by default on ThoughtSpot instances. To enable this feature, contact ThoughtSpot Support.

Important

While ThoughtSpot allows the injection of custom JavaScripts, it is important to be aware of the associated security risks, particularly Cross-Site Scripting (XSS). XSS is a vulnerability that can enable malicious actors to inject and execute unauthorized scripts within a trusted environment. This can lead to data breaches, unauthorized access to user sessions, and compromised system integrity. ThoughtSpot strongly recommends reviewing security guidelines before activating this feature in your instances and exercising caution when integrating third-party tools into your embedded application.

Security considerations🔗

Before requesting ThoughtSpot Support to enable this feature on your instance, do the following:

  • Review the security risks associated with custom-hosted scripts and understand the potential consequences of XSS attacks.

  • Implement security controls and measures to validate hosted scripts and mitigate potential vulnerabilities.

Feature enablement🔗

Enabling third-party tools on embed involves two steps:

  1. Request for feature activation and provide the script details to ThoughtSpot Support

  2. Adding the script sources to the CSP allowlist

Request for feature enablement🔗

Create a ThoughtSpot Support ticket to enable the feature on your instance. In your request, specify the domain URLs that will host the scripts in your embedding environment.

Wait for ThoughtSpot Support to validate, approve, and configure the URL for your instance. This step will ensure that only the trusted and vetted domains are allowed to run scripts in your application environment.

Add script source to CSP allowlist🔗

After the script hosting URL is approved and configured by ThoughtSpot Support, you must add the JavaScript hosting domain to the CSP allowlist. This step requires administration privileges, so make sure you log in to ThoughtSpot with your administrator credentials.

  1. In your ThoughtSpot application, navigate to Develop > Customizations > Security Settings.

  2. If your instance has the Orgs feature enabled, ensure that you are in the All Orgs context.

  3. On the Security Settings page, click Edit and turn on the CSP script-src domains toggle switch.

    CSS script-src domain

  4. Add the script hosting domain.

  5. Click Save changes.

Note

  • The CSP script-src domains section is visible to users with administrative privileges only if the third-party integration feature is enabled on your instance.

  • The CSP script-src domains cannot be enabled and configured at the Org level. When configured, this setting will apply to all the Orgs configured on your instance.

Passing variables to the hosted script🔗

To pass variables to the customer’s hosted script, Visual Embed SDK provides the customVariablesForThirdPartyTools parameter. The customVariablesForThirdPartyTools is an object containing the variables that you wish to pass to the customer’s hosted JavaScript. These may include private information such as credentials or keys. The hosted JavaScript will access these variables via the window.tsEmbed object.

Developers can define this parameter in the init() function as shown in the following example. Once initialized, the JavaScript will run after the authentication is successfully completed in the ThoughtSpot Embed App.

init({
  //...
  customVariablesForThirdPartyTools: { cloud: "123Basic" }
});