- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2017 01:58 AM
Hi,
We have an edge encryption proxy which work on another port than the 443 due to security constraint.
This configuration generate white screens because some redirection in iframe are not the same "domain:port".
The glide.set_x_frame_options properties allow to authorize other domain:port but it's considered as a medium risk
https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654#10.2
My question is : Is Service Now manage an "ALLOW-FROM" properties which could authorize others specifics URL for iframe content ?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Note :
The link https://community.servicenow.com/thread/177764 indicates that it's not possible but it's an old post.
Regards,
Sébastien
Solved! Go to Solution.
- Labels:
- 
						
							
		
			Security Operations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2017 12:36 PM
Hi Sébastien,
There is a System Properties called glide.set_x_frame_options
Its definition may be relevant to your case:
Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.
https://developer.mozilla.org/en/the_x-frame-options_response_header
It can be set here:
It's a true/false field, so there is not much control for granularity.
I did not find any other settings for relevant to Frames.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2017 12:36 PM
Hi Sébastien,
There is a System Properties called glide.set_x_frame_options
Its definition may be relevant to your case:
Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.
https://developer.mozilla.org/en/the_x-frame-options_response_header
It can be set here:
It's a true/false field, so there is not much control for granularity.
I did not find any other settings for relevant to Frames.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2019 12:56 PM
This didn't really answer the question other than to state that you can disable the "SAMEORIGIN" default using the link you provided. The better solution would be to add one or many "white listed" sites in what the mozilla documentation identifies as "ALLOW-FROM". On that sys_properties page there is a field called "Choices" which I hoped was the means of adding white-listed sites, but either it doesn't work (or that is not its intended use) or I don't know the appropriate syntax.
Has anyone tried to white-list sites allowing those identified sites to embed Service-Now and thereby leaving the glide.set_x_frame_options enabled to true?
Thanks,
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2017 11:03 AM
Sebastien, 
We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.
If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.
If you are viewing this from the Community inbox you will not see the correct answer button. If so, please review How to Mark Answers Correct From Inbox View.
Thanks,
Shivani Patel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2018 02:12 PM
Hello,
I am new to this community and not sure if there is an SN product enhancement/request section but, is there any possibility of X-Frame-Options directives such as ALLOW-FROM being added at time point?
X-Frame-Options
