Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
Description
NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
Confluence is vulnerable to Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.
This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.
Attachments
Issue Links
- duplicates
-
CONFCLOUD-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
- Closed
- is related to
-
CONFSERVER-29230 UI Redressing (Clickjacking)
- Closed
- relates to
-
JRACLOUD-25143 Enable X-FRAME-Options header to implement clickjacking protection
- Closed
- supersedes
-
CONFCLOUD-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
- Closed