Preferences
Preferences are usually set by administrators. Some preferences can have an impact on security, and these should be set only after considering what possible security impact changing the preference might have. A non-exhaustive list of such preferences are listed below.
See the Spotfire® Administration Manager User Manual, available on the documentation site, for more information about preferences.
| Preference name | Default | Description |
|---|---|---|
| Additional File Extensions | .html, .htm | In Spotfire clients, file:// links are passed to the operating system, and the default open action for the file type is performed. For example .html files are opened in the default browser, .jpg files are opened in the application associated with the .jpg file extension. By adding extensions such as .bat, .py, .exe (that can contain code), as allowed file extensions in Spotfire, opening files from untrustworthy sources can be dangerous if dangerous file types are allowed. |
| Additional URI Schemes | Empty | Controls which URI schemes can be used, in addition to http:// and https://. |
| Allow copying refresh token for credentials profile | False | Controls whether users can copy the OAuth refresh token, for use in a credentials profile, when they open a Microsoft SharePoint Online connection in a Spotfire web client. |
| AllowSharingOfCachedDataBetweenUsers | Controls whether users are allowed to select the check box Share cached data between all concurrent users of Spotfire web clients on the Cache Settings tab in the Data Connection Properties dialog. Setting this preference to False will disable the check box control. | |
| Blocked System Types | Empty |
Specifies an array of system types that cannot be used when users save or load documents and bookmarks. The purpose of this restriction preference is to provide the administrator a way to block yet-unknown security issues with insecure deserialization of .NET types or classes, as an environment option. Any classes found to be insecure classes can be blocked without using this preference. Also see Use Blocked System Types in the Application Preferences topic in the Spotfire Administration Manager - User Guide. |
| EnableAllowSavingDatabaseCredentials | True | If enabled, users have the option to include embedded credentials to a data source used in the file when saving Spotfire analyses. Embedding credentials is not recommended because it is possible for anyone with access to the file to read the credentials. By setting this value to False, you can ensure that credentials are not embedded in files by mistake. |
| Sandbox Attribute for iframe Components |
allow-forms
allow-popups
allow-same-origin
allow-scripts
|
You can restrict the content of iframe components in the application (such as the Web page panel) using the standard sandbox attribute rules. Enter values that removes the specified sandbox restrictions, as a space-separated list. |
| Whitelist for Allowed URIs | Empty |
You can specify an array of URIs that should be allowed to use in links within Spotfire analyses but also in the "Web Page panel". For security reasons, only trusted sources should be whitelisted. By controlling the whitelist, you can ensure that only approved web servers and other external resources are allowed to interact with analysis files in the Spotfire environment. See Use Whitelist for Allowed URIs in the Application Preferences topic in the Spotfire Administration Manager - User Guide. |
| Preference name | Default | Description |
|---|---|---|
PerformHtmlSanitation
|
True
|
The HTMLSanitization is a whitelist feature that works by only allowing a small subset of HTML in the text area. If disabled, the author or others can create or open analyses that include text areas without HTML sanitation. Setting the preference to False makes the system susceptible to cross-site scripting (XSS) attacks if files from untrustworthy sources are opened. |
| Preference name | Default | Description |
|---|---|---|
IgnoreTrustCheck
|
False
|
Allows you to switch off the trust checking of data functions so that data functions that are not approved by a member of the Script Author group can execute without prior approval. Introduced in Spotfire 10.3. |
| Preference name | Default | Description |
|---|---|---|
DefaultWebMapServiceListUrl
|
http://geoanalytics.tibco.com/ |
The default map chart resource server URL can be overridden so the map chart can be used in an environment without Internet access. See Offline Maps in Spotfire on the Community. |
DefaultHttpsWebMapServiceListUrl
|
http://geoanalytics.tibco.com/ |
The default map chart resource server URL can be overridden so the map chart can be used in an environment without Internet access. See Offline Maps in Spotfire on the Community. |
| Preference name | Default | Description |
|---|---|---|
AllowEmbeddingCertificatesWithPrivateKeys
|
False
|
To be able to create encrypted connections with some connectors, you must add and embed a certificate file in the connection data source. This preference determines whether users are allowed to embed certificate files that contain private keys. Embedding certificate files with private keys is not recommended, because it is possible for anyone with access to the file to extract the certificate. By setting this value to False, you can ensure that certificates with private keys are not embedded in files by mistake. |