- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello,
I want to create a widget in portal with iframe tag. Within that widget I put html <iframe and I use an external website( for test I'm putting www.youtube.com.
However it doesn't work and the video is not showing up.
I believe the error is caused by security that's why I try to user HTTP Response Header to configure which external websites should be viewed.
Does anyone have a solution to create an iframe with external links?
Thanks,
Daniel Vieira
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello,
I found a solution for this issue. Since this involves security, you need to allow ServiceNow to use external links within an iframe. To achieve this, you must create an HTTP Response Header record and define which external sources are permitted for iframes in the Service Portal.
Here’s how you can do it:
- Navigate to sys_response_header.list and create a new record.
- Configure the necessary fields, such as:
- Application
- Name (e.g., Content-Security-Policy)
- Other required fields (you’ll see them when creating the record).
- In the Value field, add something like:
frame-src 'self' https://teams.microsoft.com
This configuration means only links from your own instance (self) and Teams are trusted and can be used in iframes. Any link not listed here will be blocked.
Important Note:
The external sites you allow (e.g., Teams) must also permit their content to be embedded in iframes. This is not controlled on the ServiceNow side. For example, Teams needs to allow external domains (like your ServiceNow instance) to use their links in iframes. On their side, the configuration is similar but uses frame-ancestor instead of frame-src.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
<iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ?si=CHbVhTWZ11GR-0Pa" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>What kind of error are actually running into? Many websites block embedding their page into an iframe but youtube gives you the embed snippet when you click share on a video.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks!
It works but I really want to know if we can use CSP to allow some external links. Youtube is not the best example for that. Did you already work with a way to allow some external link with CSP and/or "X-Frame-Options: SAMEORIGIN" response header and how to prevent that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
It's the browser that blocks the page from being displayed to protect the users of the page being embedded.
What is it you are trying to put in an IFrame? Perhaps there is a built in way like on YouTube or different google apps. Or if it's relatively static content just store it on-platform if a simple link won't suffice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello @Daniel Vieira ,
As per my knowledge displaying in most of cases showing external content within an iframe is not supported by the target domain/server and browser security. In this case YouTube is restricting content access in iframe.
So the solution would be, if you have in house content stored in ServiceNow or in other place which you sure will not restrict the access in iframe you can use that. Or you can use hyperlinks so the content will open in new page.
Regards,
Siddhesh Gawade
