-
Bug
-
Resolution: Fixed
-
Low
-
5.1.1
-
None
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
Confluence is vulnerable to Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.
This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.
- duplicates
-
CONFSERVER-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
- Closed
- relates to
-
-
- Closed
-
- supersedes
-
- Closed
- is related to
-
SCT-1150 Failed to load
- mentioned in
-
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[CONFSERVER-29230] UI Redressing (Clickjacking)
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 173489 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 930044 ] |
| Remote Link | Original: This issue links to "Page (Confluence)" [ 662276 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 662276 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 648301 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 646255 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 646176 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 642146 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 638976 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 639113 ] |