Enable URL allow list for cross-origin iframe communication (instance security hardening)
Use the glide.ui.concourse.onmessage_enforce_same_origin property
to enable cross-origin communication between iframes.
Openframe can only process messages from
trusted domains that are specified in the
glide.ui.concourse.onmessage_enforce_same_origin_whitelist property. To
learn more, see Specify UTL allow list for cross-origin iframe communication.More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.concourse.onmessage_enforce_same_origin |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To enable inclusion liting of trusted domains, so they can communicate between iframes for openframe. |
| Recommended value | true |
| Functional Impact | If you do not inclusion list intended domains, the ability to embed other pages within ServiceNow AI Platform instances may be limited. |
| Security risk | (High) If a web page contains event handlers that do not perform proper origin validation, a web page, or script from any origin, can communicate with it. It can also initiate any functionality performed by the event handler. |
| References | OpenFrame overview |
To learn more about adding or creating a system property, see Add a system property.