Enable AJAXEvaluate (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.script.allow.ajaxevaluate property to restrict arbitrary client script execution using the system API on the server side.

    There are two cases in the ServiceNow AI Platform that enable the client to send scripts to the server for evaluation:
    Filters and/or queries
    It is legal to send a filter to the server such as: assigned_to=javascript:getMyGroups()
    System API
    The AJAXEvaluate API call allows the client to run arbitrary scripts on the server and receive a response.
    When you set this property to false, the ServiceNow AI Platform doesn't enable the use of the AJAXEvaluate API call from the client script.

    More information

    Attribute Description
    Property name glide.script.allow.ajaxevaluate
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose Restrict arbitrary client script execution using the system API on the server side
    Recommended value false
    Functional ImpactThis remediation forces the AJAEvaluate processor to be turned off. It could impact functionality if you are explicitly using the AJAX evaluate processor as part of any customized scripts.

    For more information, see GlideAjax.
    Security risk (High) AJAXEvaluate can allow arbitrary JavaScript code to execute on the client browser by applying the server-side objects.
    References

    Configuring Script sandbox property

    GlideAjax

    glide.script.allow.ajaxevaluate belongs to the same family of properties that secure and restrict execution of scripts originating from the client:

    To learn more about adding or creating a system property, see Add a system property.