Is it possible to set an "ALLOW-FROM" for iframe

Go to solution
s_bastienchante
Kilo Explorer

‎06-28-2017 01:58 AM

Hi,

We have an edge encryption proxy which work on another port than the 443 due to security constraint.

This configuration generate white screens because some redirection in iframe are not the same "domain:port".

The  glide.set_x_frame_options properties allow to authorize other domain:port but it's considered as  a medium risk

https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654#10.2

 

My question is : Is Service Now manage an "ALLOW-FROM"  properties which could authorize others specifics URL for iframe content ?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

 

Note :

The link https://community.servicenow.com/thread/177764 indicates that it's not possible but it's an old post.

 

Regards,

Sébastien

Labels:
0 Helpfuls
  • 6,696 Views
1 ACCEPTED SOLUTION

Go to solution
Shiva Thomas
Kilo Sage

‎06-28-2017 12:36 PM

Hi Sébastien,



There is a System Properties called glide.set_x_frame_options



Its definition may be relevant to your case: 


Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

https://developer.mozilla.org/en/the_x-frame-options_response_header  


It can be set here:


https://YOURINSTANCENAME.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=6a80a123ff2010003061...



It's a true/false field, so there is not much control for granularity.



I did not find any other settings for relevant to Frames.


View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Shiva Thomas
Kilo Sage

‎06-28-2017 12:36 PM

Hi Sébastien,



There is a System Properties called glide.set_x_frame_options



Its definition may be relevant to your case: 


Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

https://developer.mozilla.org/en/the_x-frame-options_response_header  


It can be set here:


https://YOURINSTANCENAME.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=6a80a123ff2010003061...



It's a true/false field, so there is not much control for granularity.



I did not find any other settings for relevant to Frames.


0 Helpfuls

Go to solution
danb2015
Kilo Contributor
In response to Shiva Thomas

‎08-13-2019 12:56 PM

This didn't really answer the question other than to state that you can disable the "SAMEORIGIN" default using the link you provided.  The better solution would be to add one or many "white listed" sites in what the mozilla documentation identifies as "ALLOW-FROM".  On that sys_properties page there is a field called "Choices" which I hoped was the means of adding white-listed sites, but either it doesn't work (or that is not its intended use) or I don't know the appropriate syntax.

Has anyone tried to white-list sites allowing those identified sites to embed Service-Now and thereby leaving the glide.set_x_frame_options enabled to true?

 

Thanks,

Dan

0 Helpfuls

Go to solution
shivanipatel
ServiceNow Employee
ServiceNow Employee

‎07-17-2017 11:03 AM

Sebastien,



We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.



If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.



If you are viewing this from the Community inbox you will not see the correct answer button.   If so, please review How to Mark Answers Correct From Inbox View.



Thanks,


Shivani Patel


Unknown-1.png


Preview file
11 KB
0 Helpfuls

Go to solution
ayoung
Kilo Explorer
In response to shivanipatel

‎02-13-2018 02:12 PM

Hello,



I am new to this community and not sure if there is an SN product enhancement/request section but, is there any possibility of X-Frame-Options directives such as ALLOW-FROM being added at time point?


X-Frame-Options


0 Helpfuls