Restrict allowed domains for cross-origin iframe communication

Release version: Australia

Updated March 12, 2026

1 minute to read

Use a system property to enable cross-origin communication between iframes.

Use the glide.ui.concourse.onmessage_enforce_same_origin property to prevent cross-origin communication from untrusted domains. If not set to the recommended value of true then validation is not performed for cross-origin messaging. If set to true then domains listed in the glide.ui.concourse.onmessage_enforce_same_origin_whitelist system property can propagate messages in the UI. Use glide.ui.concourse.onmessage_enforce_same_origin_whitelist to control which domains are allowed.

Ensure that the glide.ui.concourse.onmessage_enforce_same_origin property exists in the System Properties [sys_properties] table and is set to true.

More information


Attribute	Description
Configuration name	glide.ui.concourse.onmessage_enforce_same_origin
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	true
Default value	true
Fallback value	false
Category	Access control
Security risk	Severity score: 4.2 CVSS score: Medium Security risk details: If a web page's event handlers don't perform proper origin validation, then another web page or script from any origin can communicate with it. These pages or scripts can also initiate any functionality performed by the event handler. This property allows potentially untrusted external domains to send messages to the ServiceNow instance, increasing the risk of cross-origin attacks like data theft or UI manipulation.
Functional impact	If you don't add intended domains to the inclusion list in the glide.ui.concourse.onmessage_enforce_same_origin_whitelist system property, cross-origin messages from that domain aren't allowed.
Dependencies and prerequisites	None