I discovered that the HTML Editor (TinyMCE) is stripping out the referrer-policy HTML attribute. The way I discovered this is embedding a video via Source code in a KB Article.
Take an example from YouTube. Let's pick this test video:
https://www.youtube.com/watch?v=C0DPdy98e4c
Copy the embedded code into KB Article -> HTML Editor -> Source Code:
<iframe width="560" height="315" src="https://www.youtube.com/embed/C0DPdy98e4c?si=6_46EHMQTqifr7Wi" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
Click "Save"
Now re-open Source Code. For me, it strips out the refererpolicy HTML attribute:
It doesn't have to be a YouTube video. It could be any type of embedded video. Probably any type of embedded content but that's not confirmed, as most embedded code snippets you'll find are iframes.
This was working before as of Utah Patch 9 HF1. I don't know what version of TinyMCE was installed but it was either TinyMCE v4 or TinyMCE v5 but that doesn't isolate it to the exact TinyMCE version number.
Confirmed working for as of Utah Patch 9 HF1.
Unconfirmed but it may have stopped working as of:
Utah Patch 9 HF1a
Utah Patch 9 HF1b
Utah Patch 10 HF1
Utah Patch 10a
Confirmed not to be working as of:
Utah Patch 10b
Washington DC Patch 2 HF2
Washington DC Patch 4 HF1
It's not an attribute that you need to enter in as a exclusion via HTML sanitization. I've already tried that anyway.
I opened a Case with ServiceNow on this topic. Best they can say is that this is system-wide and is isolated to the Tiny MCE editor, which is a 3rd party tool. They were not able to tell me the exact TinyMCE version that is currently installed on my test instance or PDI. Their recommendation was to change referrer policy at the global level, via System Property. This is something I've not had to do at all in the past. That System Property is set to default and has never been changed. Something changed within the last several months. To change it at a global level is not an optimal solution. It will also involve much smoke testing since it affects the entire instance. My workaround was to re-insert the referrerpolicy via BR for a specific set of KB tables to appease the users. That works for now but, again, it's a system-wide issue.
I may need to reach out to TinyMCE collaboration on GitHub to find out if it's their tool that is stripping out the referrerpolicy HTML attribute or if, somehow, something is not working from the ServiceNow end and I need to push more to get this listed as a PRB or enhancement request. It definitely was working at one time. This feels like a defect, because stripping out something out of the source code without any graceful warning or error to the user or the system admin (i.e. logs) is not proper practice in my view. This feels like an oversight condition during QAing a patch or upgrade that was never tested.
The problem is I can no longer reproduce the working use-case because all my instances are up-to-date and I cannot acquire any Utah PDIs that have the proper patch to reproduce the working use-case. ServiceNow Support also is in the same boat, likely because they share the same PDI pool as us. Without being able to reproduce the working use-case, they basically said there's nothing they can do to address it, as TinyMCE is a 3rd party tool.
With that, can anyone reproduce the working use-case, regardless of what release or patch is installed? And what exact version of TinyMCE is installed?
