Is it possible to set an "ALLOW-FROM" for iframe

s_bastienchante
Kilo Explorer

Hi,

We have an edge encryption proxy which work on another port than the 443 due to security constraint.

This configuration generate white screens because some redirection in iframe are not the same "domain:port".

The  glide.set_x_frame_options properties allow to authorize other domain:port but it's considered as  a medium risk

https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654#10.2

 

My question is : Is Service Now manage an "ALLOW-FROM"  properties which could authorize others specifics URL for iframe content ?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

 

Note :

The link https://community.servicenow.com/thread/177764 indicates that it's not possible but it's an old post.

 

Regards,

Sébastien

1 ACCEPTED SOLUTION

Shiva Thomas
Kilo Sage

Hi Sébastien,



There is a System Properties called glide.set_x_frame_options



Its definition may be relevant to your case:


Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.


https://developer.mozilla.org/en/the_x-frame-options_response_header  



It can be set here:


https://YOURINSTANCENAME.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=6a80a123ff2010003061...



It's a true/false field, so there is not much control for granularity.



I did not find any other settings for relevant to Frames.


View solution in original post

8 REPLIES 8

Shiva Thomas
Kilo Sage

Hi Sébastien,



There is a System Properties called glide.set_x_frame_options



Its definition may be relevant to your case:


Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.


https://developer.mozilla.org/en/the_x-frame-options_response_header  



It can be set here:


https://YOURINSTANCENAME.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=6a80a123ff2010003061...



It's a true/false field, so there is not much control for granularity.



I did not find any other settings for relevant to Frames.


This didn't really answer the question other than to state that you can disable the "SAMEORIGIN" default using the link you provided.  The better solution would be to add one or many "white listed" sites in what the mozilla documentation identifies as "ALLOW-FROM".  On that sys_properties page there is a field called "Choices" which I hoped was the means of adding white-listed sites, but either it doesn't work (or that is not its intended use) or I don't know the appropriate syntax.

Has anyone tried to white-list sites allowing those identified sites to embed Service-Now and thereby leaving the glide.set_x_frame_options enabled to true?

 

Thanks,

Dan

shivanipatel
ServiceNow Employee
ServiceNow Employee

Sebastien,



We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.



If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.



If you are viewing this from the Community inbox you will not see the correct answer button.   If so, please review How to Mark Answers Correct From Inbox View.



Thanks,


Shivani Patel


Unknown-1.png


Hello,



I am new to this community and not sure if there is an SN product enhancement/request section but, is there any possibility of X-Frame-Options directives such as ALLOW-FROM being added at time point?


X-Frame-Options