| Domain name format | CSP Visual Embed host | CSP connect-src | CORS | CSP font-src CSP style-src CSP img-src |
|---|---|---|---|---|
Domain URL strings without protocol
| β Supported | β Supported | β Supported | β Supported |
Domain URL strings for localhost
| β Supported | β Supported | β Supported | β Supported |
Domain URL strings without port
If your domain URL has a non-standard port, for example | β Supported | β Supported | β Supported | β Supported |
Wildcard ( | β Supported | β Supported | x Not supported | β Supported |
Wildcard (*) before the domain name extension | x Not supported | x Not supported | x Not supported | x Not supported |
Plain text string without the domain name extension.
| x Not supported | x Not supported | x Not supported | x Not supported |
Domain name with wildcard (*) and a leading dot
| x Not supported | x Not supported | β Supported To avoid domain validation errors, make sure you add an escape character | x Not supported |
Wildcard before the domain name
| β Supported | β Supported | x Not supported | β Supported |
Domain names with space, backslash (\), and wildcard (*).
| x Not supported | x Not supported | x Not supported | x Not supported |
URLs with query parameters | x Not supported | x Not supported | x Not supported | x Not supported |
URLs with path parameters | β Supported | β Supported | x Not supported | β Supported |
URLs with path and query parameters | x Not supported | x Not supported | x Not supported | x Not supported |
IPv4 addresses | β Supported | β Supported | β Supported | β Supported |
Semicolons as separators | x Not supported | x Not supported | x Not supported | x Not supported |
Comma-separated values | β Supported | β Supported | β Supported | β Supported |
| x Not supported | x Not supported | x Not supported | x Not supported |
Wildcard (*) for port
| β Supported | β Supported | β Supported | β Supported |
Security settings
For security purpose, most web browsers block cross-site scripting, cross-domain requests, and third-party cookies by default. Web browsers also have built-in security mechanisms such as same-origin and content security policies. These policies restrict how applications and scripts from one origin (domain) can interact with the resources hosted on another origin (domain).
Add trusted domains for embed supportπ
If you have embedded ThoughtSpot content within your application page using an inline frame, web browsers may block the embedded content. If your host application and embedded ThoughtSpot instance are on different domains, most web browsers also block cross-domain requests by default.
To enable seamless interaction between your host application and the embedded ThoughtSpot instance, you need to configure the following security settings in ThoughtSpot:
-
Trusted hosts for CORS
To allow your application to call ThoughtSpot, access its resources, and render embedded content, you must add your domain as a trusted host and enable Cross-Origin Resource Sharing (CORS).
-
Trusted hosts for CSP
To allow your application to embed ThoughtSpot and access its content via web browsers, add your application domain as a trusted host in the CSP allowlist. You need to also add the domain URLs to the
connect-srcallowlist to load script interfaces and allow Javascript events.Users with admin or developer privileges can configure the CORS and CSP allowlists on the Security Settings page in the Develop tab of the ThoughtSpot UI.
Add CSP visual embed hostsπ
To allow your host domain to set the frame-ancestors CSP policy header and embed a ThoughtSpot object within your application frame, add your application domain as a CSP visual embed host.
-
Log in to your ThoughtSpot application instance.
-
Click the Develop tab.
-
Go to Customizations > Security settings.
-
Click Edit.
-
In the CSP visual embed hosts text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Add URLs to CSP connect-src allowlistπ
If you plan to create custom actions with URL targets, you must add the domain names of these URLs to the CSP connect-src allowlist. This allows JavaScript events triggered by the custom action URLs.
-
Log in to your ThoughtSpot application instance.
-
Click the Develop tab.
-
Go to Customizations > Security settings.
-
Click Edit.
-
In the CSP connect-src domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Enable CORSπ
The CORS configuration for your cluster controls which domains can access and modify your application content. To allow your application to call ThoughtSpot or its REST API endpoints, and request resources, you must add your application domain to the CORS allowlist. For example, if your website is hosted on the example.com domain and the embedded ThoughtSpot content is hosted on the example.thoughtspot.com, you must add the example.com domain to the CORS allowlist for cross-domain communication. You can also add http://localhost:8080 to the CORS allowlist to test your deployments locally. However, we recommend that you disable localhost access in production environments.
If you enable CORS for your application domain, ThoughtSpot adds the Access-Control-Allow-Origin header in its API responses when your host application sends a request to ThoughtSpot.
To add domain names to the CORS allowlist, follow these steps:
-
Log in to your ThoughtSpot application instance.
-
Click the Develop tab.
-
Under Customizations > Security settings.
-
Click Edit.
-
In the CORS whitelisted domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.
-
Click Save changes.
Add trusted domains for font, CSS, and image importπ
Starting from ThoughtSpot Cloud 8.10.0.cl release, you can add trusted source URLs from which images, fonts, and stylesheets can be retrieved.
-
To define an allowed list of source URLs and domains, go to Develop > Customizations > Security Settings.
-
Click Edit.
-
In the CSP img-src domains field, add the domains from which you want to load images and favicons.
-
In the CSP font-src domains field, add the domains from which you want to load fonts.
-
In the CSP style-src domains field, add the domains from which you want to load stylesheets.
-
Make sure the domain names are valid and listed as comma-separated values.
-
Click Save changes.
Domain name format for CSP and CORS configurationπ
|
Important
|
Note the following points if using port or protocol in the domain name string:
|
The following table shows the valid domain name strings for the CORS and CSP allowlists.
Block access to non-embedded ThoughtSpot pagesπ
If you have embedded ThoughtSpot content in your app, you may want your users to access only the ThoughtSpot pages embedded within the context of your host app.
If you have embedded ThoughtSpot using Visual Embed SDK v1.22.0 or later, the blockNonEmbedFullAppAccess property in the SDK is set to true by default. Due to this, your application users cannot access or navigate to the ThoughtSpot application experience outside the context of your app.
If you are not using Visual Embed SDK to embed ThoughtSpot, you can turn on the Block non-embed full app access feature on the Develop > Customizations > Security Settings page. This will restrict your users from opening non-embedded ThoughtSpot pages from their embedded app context. Note that this feature does not restrict ThoughtSpot users with administrator or developer privileges from accessing ThoughtSpot pages.