Specify URL allow list for cross-origin iframe communication (instance security hardening)
Use the glide.ui.concourse.onmessage_enforce_same_origin_whitelist
property to enable cross-origin communication between iframes from trusted
domains you specify in an inclusion list.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.concourse.onmessage_enforce_same_origin_whitelist |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | No |
| Purpose | To enable inclusion listing of trusted domains, so they can communicate between iframes for openframe. |
| Requirement | Mandatory |
| Functional Impact | If you do not inclusion list intended domains, the ability to embed other pages within the ServiceNow AI Platform instances may be limited. |
| Security risk | (High) If a web page contains event handlers that do not perform proper origin validation, a web page, or script from any origin, can communicate with it. It can also initiate any functionality performed by the event handler. Communication with iframes from other domains is a security risk. |
To learn more about adding or creating a system property, see Add a system property.