Spotfire Visualization Mods
Spotfire visualization mods are visualizations created using web technologies such as JavaScript or TypeScript, that run in the provided framework within Spotfire clients. Running a mod involves code execution, therefore, provisions are in place to help users make trust decisions. Mods can be created and uploaded to a Spotfire library by any user with sufficient privileges, and trust for mods can be handled either by the server administrator or by end users, depending on how the environment has been configured.
Component | Description |
---|---|
Licenses | The license features for working with
Spotfire visualization mods are located under Spotfire Extensions.
|
Execution context | Visualization mods run in a sandboxed iframe
within the Spotfire clients.
If a signer is trusted, mods developed by that signer will work the same way as native Spotfire visualizations. If a user opens a file containing a trusted visualization mod, then the code can access anything the user has permission to access. For this reason, only trusted users should be allowed to develop mods. If an untrusted visualization mod is accessed by a user who is allowed to trust mods, the user will be asked whether to trust the mod. It is then possible to choose to trust either that particular mod or to trust the signer. Once trusted, the mod will run for this particular user. Users who lack the permission to trust mods will not be able to use any untrusted mods at all. |
If you suspect that a signature or a specific mod has been misused, there are several actions that can be taken depending on the situation:
Option | Description |
---|---|
Remove previous trust decisions | Any trust decision, taken by either the
administrator or by an end user, can be withdrawn. If an administrator has
configured a signer to be trusted for a specific group, this trust can be
removed by clicking Revoke trust on the Trusted signers page for the group in
the administration pages on the server. See
Removing trusted signers from a group.
Administrators can also remove trust using the
remove-code-trust command. End users can also
remove trust for any mods or signers that they previously trusted on their My
account page, which can be reached via the Manage trust dialog in the client.
|
Invalidate signature (revoke certificate from server) |
If there are suspicions that a user on the Spotfire Server has signed unsafe mods, it is possible to revoke the user's certificate, which renders signatures invalid. This prevents other users from making a trust decision based on false premises. When a certificate has been revoked, any mods that have been signed (after a specified time) will be considered invalid. An end user who tries to add a mod with an invalid signature will be informed that the signature has been invalidated. By default, mods with invalid signatures cannot be trusted in on-premises systems. An administrator can
revoke the certificate for a user through
the
|
Block certificate, user or item | If there are suspicions that a certificate
from a CA or a specific visualization mod is being used for malicious purposes,
it should be blocked from the system. An administrator can block either the
certificate, a Spotfire user or a specific visualization mod through the
block-code-trust command.
Note: If you select to block a specific mod then it might still
be possible to trust and use an updated version of that mod. Note that any
modification will be seen as an update from a trust perspective.
See Blocking certificates, users or custom items for more information. |