Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-29230

UI Redressing (Clickjacking)

XMLWordPrintable

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      Confluence is vulnerable to Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.

      This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.

            [CONFSERVER-29230] UI Redressing (Clickjacking)

            Jiri Hronik added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10 Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - - edited

            A fix for this issue is available to Server and Data Center customers in Confluence 7.12.3
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - - edited A fix for this issue is available to Server and Data Center customers in Confluence 7.12.3 Upgrade now or check out the Release Notes to see what other issues are resolved.

            David Black added a comment -

            I suggest opening a support issue for the portfolio iframe breakage.

            David Black added a comment - I suggest opening a support issue for the portfolio iframe breakage.

            Deleted Account (Inactive) added a comment -

            @dblack I accept it's security because I need portfolio reports in confluence. Please describe it more. Where I have to set this property?

            Deleted Account (Inactive) added a comment - @dblack I accept it's security because I need portfolio reports in confluence. Please describe it more. Where I have to set this property?

            Steven Behnke added a comment -

            Seems like this broke the portfolio iframe no?

            Steven Behnke added a comment - Seems like this broke the portfolio iframe no?

            Alan Forbes added a comment -

            So how do you do that?

            Alan Forbes added a comment - So how do you do that ?

            David Black added a comment -

            If you need to be able to iframe Confluence and are willing to accept the security implications of doing so then you may wish to set the confluence.clickjacking.protection.disable system property to true. However, we recommend not using the confluence.clickjacking.protection.disable system property.

            David Black added a comment - If you need to be able to iframe Confluence and are willing to accept the security implications of doing so then you may wish to set the confluence.clickjacking.protection.disable system property to true . However, we recommend not using the confluence.clickjacking.protection.disable system property.

            Pranjal Shukla added a comment -

            Any tentative date to get it fixed??

            Pranjal Shukla added a comment - Any tentative date to get it fixed??

              ple Phong Quoc Le (Inactive)
              adrian.bravo Adrian Bravo
              Affected customers:
              7 This affects my team
              Watchers:
              28 Start watching this issue

                Created:
                Updated:
                Resolved: