Embedding an External Dashboard via iFrame Blocked Due to Missing Content Security-Policy Header Issue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } An external dashboard embedded within the platform via an iFrame is being blocked because the required Content-Security-Policy: frame-ancestors HTTP Response Header is not present or not correctly configured. The HTTP Response Header module applies headers globally or by application scope, and there is a need to understand the security implications of applying the header to all pages, as well as options for scoping the header to specific pages or content blocks. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } An iFrame embedding an external dashboard does not load and is blocked by the browser.The browser console displays a Content-Security-Policy (CSP) error related to frame-ancestors.The HTTP Response Header configuration is available only at the global ("All Pages") or application scope level, with no native option to restrict it to specific URL paths or pages.Concern exists around the security impact of applying a permissive frame-ancestors header universally across the instance. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All Supported Relases Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The browser blocks iFrame content when the host application does not include a Content-Security-Policy: frame-ancestors header that explicitly permits the external domain to embed its content. ServiceNow's HTTP Response Header module applies headers globally or per application scope, not at the individual page or URL path level, making it difficult to limit the header to only the pages that require iFrame embedding. Applying the header to all pages expands the attack surface by making every page in the instance embeddable from the permitted domain, including sensitive records, forms, and administrative panels. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Evaluate the following options based on your organization's security posture and implementation requirements: Option 1: Client-Side Meta Tag via UI Script or Service Portal Widget (Limited Effectiveness) Inject a CSP meta tag directly into specific widgets or portal pages that require iFrame embedding: <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' https://your-external-domain.com"> Note: This does not replace a true HTTP response header and has limited browser support for CSP enforcement via meta tags. It provides page-level scoping but should not be relied upon as a primary security control. Option 2: Middleware or API Gateway Proxy Route iFrame requests through a middleware layer or API gateway that conditionally injects the Content-Security-Policy: frame-ancestors header only for the relevant dashboard endpoints, keeping all other pages unaffected. Option 3: Scripted Conditional Header via Business Rule or Scripted REST API (Recommended for Granular Control) Implement a custom Business Rule or Scripted REST API that programmatically sets the CSP header based on the requested URL path. This allows the header to be applied only where iFrame embedding is required. Note: this is a custom implementation and falls outside the scope of out-of-box platform support. Option 4: Accept Global "All Pages" Scope with Compensating Controls If scoping is not feasible, apply the header globally and mitigate risk through the following compensating controls: Ensure the permitted external domain is tightly controlled, patched, and monitored.Apply X-Frame-Options: SAMEORIGIN as a secondary header on sensitive modules to restrict embedding to same-origin contexts only.Implement logging and alerting for iFrame embedding attempts.Document the global header application as a known, accepted risk in your organization's security or system plan. For environments with elevated compliance requirements, Option 3 or Option 4 with compensating controls is the recommended path. If custom implementation assistance is needed, consider engaging your platform's Professional Services team or consulting the vendor's community forums.