Specify URL allow list for cross-origin iframe communication
Use a system property to specify which domains you trust for cross-origin communication.
Use the glide.ui.concourse.onmessage_enforce_same_origin_whitelist property to enable cross-origin communication between iframes from trusted domains you specify in an inclusion list. This property specifies list of trusted origins for message propagation (sent via window.postMessage) in the UI. If this property isn't set to a list of trusted/allowed origins for cross domain messaging, then cross origin messages can be allowed from domains which contain malicious scripts. The property values should contain a list of origins should be separated by a comma. If the property value is empty then all domains are blocked.
Ensure that the glide.ui.concourse.onmessage_enforce_same_origin_whitelist system property contains only a list of trusted domains to be used for cross origin messaging. If the list is empty no domains are allowed.
More information
| Attribute | Description |
|---|---|
| Configuration name | glide.ui.concourse.onmessage_enforce_same_origin_whitelist |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | String |
| Recommended value | a comma separated list of trusted domains or empty |
| Default value | empty |
| Fallback value | empty |
| Category | Access control |
| Security risk |
|
| Functional impact | If you don't add intended domains to the inclusion list, cross-origin messages from that domain are not allowed. |
| Dependencies and prerequisites | None |