In the Fall 2023 release of Oomnitza, we’ve enhanced our Cross-Origin Resource Sharing (CORS) policy. CORS is a browser security feature that allows web pages from one domain to access resources from another domain. Oomnitza's Service Desk integrations use CORS for direct browser-to-server communications.
We’ve introduced a new global variable security.allowed_cors_domains
that allows you to build a list of trusted domains in your Oomnitza instance. This enhancement improves the security of your Service Desk integrations and ensures that they are protected from unauthorized access.
Important
This enhancement applies only to Service Desk integrations. As an opt-in feature, your existing integrations won't be affected. However, once you add any domain to the global variable, your Oomnitza instance will rely on this allow list. Ensure all necessary domains are added.
Procedure
To leverage this enhanced security feature, add the domains of your service desk integrations to the security.allowed_cors_domains
global variable in Oomnitza:
- Identify the domains of your service desk integrations
- Add the domains in a comma-separated list as values to the
security.allowed_cors_domains
global variable. Refer to the steps in Update Global Setting for more information.
Identify the domains
Service desk integration | Domain |
Salesforce |
Follows the format: If your installed package is unmanaged, the Package Name is If your URL is You do not need to include the leading Refer to Retrieving your domain for more information |
Freshservice |
For Freshservice, you need to add this specific domain without the leading
|
Jira Cloud | Enter the following value:jira-plugin-server.oomnitza.com
|
Jira Server |
Enter the domain of your Jira Server instance, without the For example, |
ServiceNow |
Enter the domain of your ServiceNow instance, without the For example, |
Zendesk |
Typically follows the format You do not need to include the leading Refer to Retrieving your domain for more information |
Retrieving your domain
If you're having trouble identifying the correct domain, you can find it in the "Referer" parameter in your browser.
- Launch the third-party application and go to the page displaying the Oomnitza widget.
- Right-click and choose Inspect to open your browser's developer tools
- Click on the Network tab.
- Refresh the page to capture the latest data.
- Search for a request directed to the Oomnitza server, such as "session-check".
- Look for the "Referer" parameter under the Request Header.
Fig: Zendesk Referer parameter.
Update the Global Setting
To add the domain of your service desk integrations as a global setting, follow these steps:
- Click Configuration > General > Global Settings.
- Search for the global setting
security.allowed_cors_domains
global variable. If you're on Fall 2023 release or newer, this will be readily available. For instances prior to Fall 2023, you can add this global variable manually and take advantage of the same benefits. - Enter the domains of your service desk integrations as the value. Ensure that the domains are provided in a comma-separated list with no spaces.
- Click Save.
Conclusion
The improvements to our CORS policy through the introduction of a global variable is a valuable security feature that can help to protect your Service Desk integrations. We encourage you to take advantage of this new feature and add all of your domains to the trusted allow list.
Related Links
Comments
0 comments
Please sign in to leave a comment.