Virtual agent embedded client content security policy (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the com.glide.cs.embed.csp_frame_ancestors property to enable the configuration of the frame-ancestors policy for only the https://<your-instance>.service-now.com/sn_va_web_client_app_embed.do page.

    The Virtual Agent Plugin enables embedding of a client in an external web page. To enable the client page to be embedded in the web page, the Content Security Policy must allow the external page as a parent frame.
    Note:
    Avoid using only '*' as the Content Security Policy because it would enable all domains and leave the application potentially vulnerable to clickjacking.

    More information

    Attribute Description
    Property name com.glide.cs.embed.csp_frame_ancestors
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center No
    Purpose To enable creation of customized Content Security Policy for the embeddable Virtual Agent page.
    Recommended value Set to trusted domains
    Functional ImpactVirtual Agent embeddable client doesn't allow itself to be embedded in external sites unless Content Security Policy is configured properly.
    Security risk (Medium) If configured improperly (allowing all parent frames), it may possibly leave the embeddable client page vulnerable to clickjacking.
    References

    Embed the Virtual Agent web client in an external web page

    To learn more about creating a frame-ancestors Content Security Policy, see here.

    Steps to configure

    1. Navigate to /sys_properties_list.do.
    2. Search for the com.glide.cs.embed.csp_frame_ancestors property.
    3. Assign acceptable content security policy (allow only company or other accepted domains), then click Update.