Is it possible to set an "ALLOW-FROM" for iframe

Go to solution
s_bastienchante
Kilo Explorer

‎06-28-2017 01:58 AM

Hi,

We have an edge encryption proxy which work on another port than the 443 due to security constraint.

This configuration generate white screens because some redirection in iframe are not the same "domain:port".

The  glide.set_x_frame_options properties allow to authorize other domain:port but it's considered as  a medium risk

https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654#10.2

 

My question is : Is Service Now manage an "ALLOW-FROM"  properties which could authorize others specifics URL for iframe content ?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

 

Note :

The link https://community.servicenow.com/thread/177764 indicates that it's not possible but it's an old post.

 

Regards,

Sébastien

Labels:
0 Helpfuls
  • 6,891 Views
1 ACCEPTED SOLUTION

Go to solution
Shiva Thomas
Kilo Sage

‎06-28-2017 12:36 PM

Hi Sébastien,



There is a System Properties called glide.set_x_frame_options



Its definition may be relevant to your case: 


Enables this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

https://developer.mozilla.org/en/the_x-frame-options_response_header  


It can be set here:


https://YOURINSTANCENAME.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=6a80a123ff2010003061...



It's a true/false field, so there is not much control for granularity.



I did not find any other settings for relevant to Frames.


View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
pavanm_now_
ServiceNow Employee
ServiceNow Employee

‎11-06-2019 12:49 AM

The allow-from option for X-Frame-Origin has become obsolete in the HTTP standards.


Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

 

Pavan
Product Security | ServiceNow

0 Helpfuls

Go to solution
VirmaniS
Kilo Explorer

‎11-29-2019 04:57 AM

@pavanm(now) : Please could you confirm then how to authorize published report of servicenow to be accessible in iframe to external site. I need to include it on a confluence page. Provided in iframe url, the report isnt loading.

0 Helpfuls

Go to solution
Peter Bodifee
Tera Contributor
In response to VirmaniS

‎12-12-2019 01:29 PM

I have a similar requirement.

BTW I tried to set glide.set_x_frame_options to false on my personal dev instance (logged in as admin) and I can't even change the value. 

 

find_real_file.png

Preview file
50 KB
0 Helpfuls

Go to solution
danb2015
Kilo Contributor
In response to Peter Bodifee

‎12-12-2019 02:47 PM

Peter, under your admin account name in the top right, click on the menu and select "Elevate Roles" and then you will have the authority to change that to false.