Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Vision™

TABLE OF CONTENTS

Change content security policy

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 07, 2025
  • 2 minute read

AVEVA PI Vision uses Content Security Policy (CSP) headers to provide security against Cross Site Scripting (XSS) and other attacks. For more information on CSP and the available directives, see Content Security Policy (CSP) on MDN Web Docs.

By default, AVEVA PI Vision uses a policy that mitigates the risk of XSS attacks while maintaining functionality in typical deployments. This policy includes:

  • Use of the script-src directive to restrict script execution to files that were downloaded from the AVEVA PI Vision site and to block any untrusted inline scripts.

  • Use of the frame-src directive to restrict embedded <frame> and <iframe> elements to only load content from the AVEVA PI Vision site.

You can modify these policies to add additional trusted sources or to disable the policies altogether. This may be necessary if custom symbols built with the AVEVA PI Vision extensibility framework require scripts or frames to load from remote sources.

You can specify additional CSP directives for use by AVEVA PI Vision. Use this to specify additional CSP protections or to specify a reporting endpoint for the report-uri directive.

  1. Open the web.config file in the AVEVA PI Vision root installation folder in any text editor.

  2. To modify the script-src directive to add additional allowed sources for scripts, add the following settings to the <appSettings> section:

    <add key="ScriptSrcPolicy" value="*.company.com trustedsite.com" />

    1. To disable the script-src directive altogether, use the following settings instead:

      <add key="ScriptSrcPolicy" value="Disable" />

    Note: If you need to specify multiple sources, separate them with a space.

  3. To modify the frame-src directive to add additional allowed sources for frames, add the settings below to the <appSettings> section:

    <add key="FrameSrcPolicy" value="*.company.com trustedsite.com" />

    1. To disable the frame-src directive altogether, use the following settings instead:

      <add key="FrameSrcPolicy" value="Disable" />

    Note: If you need to specify multiple sources, separate them with a space.

  4. Add additional CSP directives with the following settings:

    <add key="CspCustomPolicy" value="frame-ancestors ‘self’; report-uri https://company.com/csp-reports" />

    Note: If you need to specify multiple directives, separate them with a semicolon.

  5. If PI Vision iframes will be embedded on pages that support authentication through AVEVA Identity Manager with OpenID Connect, you can configure PI Vision to use the OpenID Connect credentials rather than prompt for a login.

    1. Open PowerShell ISE on the AVEVA Identity Manager node. Configure an AVEVA Identity Manager client with the AllowXFrameCrossOrigin setting enabled. This ensures that the browser doesn't block the credentials in PI Vision.

      For more information, see Frequently asked questions (FAQs) in the AVEVA PI Server Installation and Configuration documentation.

    2. In the <appSettings> section, add a new value to allow cross-site OpenID Connect authentication:

      <add key="AuthenticationCookieSameSite" value="None" />

    3. In the system.web/httpCookies element, change the sameSite attribute to None from the default of Strict:

      <httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true" />

Related Links
TitleResults for “How to create a CRG?”Also Available in