Iframe with external website

Go to solution
Daniel Vieira
Tera Guru

3 weeks ago

Hello,

 

I want to create a widget in portal with iframe tag. Within that widget I put html <iframe and I use an external website( for test I'm putting www.youtube.com.
However it doesn't work and the video is not showing up.

I believe the error is caused by security that's why I try to user HTTP Response Header to configure which external websites should be viewed. 

 

Does anyone have a solution to create an iframe with external links?

 

Thanks,

Daniel Vieira

0 Helpfuls
  • 901 Views
1 ACCEPTED SOLUTION

Go to solution
Daniel Vieira
Tera Guru

3 weeks ago

Hello,


I found a solution for this issue. Since this involves security, you need to allow ServiceNow to use external links within an iframe. To achieve this, you must create an HTTP Response Header record and define which external sources are permitted for iframes in the Service Portal.

Here’s how you can do it:

  1. Navigate to sys_response_header.list and create a new record.
  2. Configure the necessary fields, such as:
    • Application
    • Name (e.g., Content-Security-Policy)
    • Other required fields (you’ll see them when creating the record).
  3. In the Value field, add something like:
    frame-src 'self' https://teams.microsoft.com
    This configuration means only links from your own instance (self) and Teams are trusted and can be used in iframes. Any link not listed here will be blocked.

Important Note:
The external sites you allow (e.g., Teams) must also permit their content to be embedded in iframes. This is not controlled on the ServiceNow side. For example, Teams needs to allow external domains (like your ServiceNow instance) to use their links in iframes. On their side, the configuration is similar but uses frame-ancestor instead of frame-src.

 

Hope this helps!

View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Ankur Bawiskar
Tera Patron

3 weeks ago

@Daniel Vieira 

external URLs in iframe within ServiceNow is sometimes not allowed.

-> I recently worked on something similar and on debugging we came across this error in browser console

-> When searched regarding this, I found that the external website won't allow their content to be embedded into other sites to avoid clickjacking attack. 

-> Reason being some websites send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page.

X-Frame-Options header 

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
In response to Ankur Bawiskar

3 weeks ago

@Daniel Vieira 

Hope you are doing good.

Did my reply answer your question?

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
Daniel Vieira
Tera Guru
In response to Ankur Bawiskar

3 weeks ago

Hello Ankur 🙂

No, it didn't work. It needs to work and I need to get a way to do it. Did you work with HTTP Response Header? I think I can create a Customer Secruity Policy to allow some external links?

Thanks

0 Helpfuls

Go to solution
Daniel Vieira
Tera Guru

3 weeks ago

Hello,


I found a solution for this issue. Since this involves security, you need to allow ServiceNow to use external links within an iframe. To achieve this, you must create an HTTP Response Header record and define which external sources are permitted for iframes in the Service Portal.

Here’s how you can do it:

  1. Navigate to sys_response_header.list and create a new record.
  2. Configure the necessary fields, such as:
    • Application
    • Name (e.g., Content-Security-Policy)
    • Other required fields (you’ll see them when creating the record).
  3. In the Value field, add something like:
    frame-src 'self' https://teams.microsoft.com
    This configuration means only links from your own instance (self) and Teams are trusted and can be used in iframes. Any link not listed here will be blocked.

Important Note:
The external sites you allow (e.g., Teams) must also permit their content to be embedded in iframes. This is not controlled on the ServiceNow side. For example, Teams needs to allow external domains (like your ServiceNow instance) to use their links in iframes. On their side, the configuration is similar but uses frame-ancestor instead of frame-src.

 

Hope this helps!

0 Helpfuls