-
Bug
-
Resolution: Fixed
-
Low
-
None
NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
Confluence is vulnerable to Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.
This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.
- duplicates
-
CONFCLOUD-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
- Closed
- is related to
-
CONFSERVER-29230 UI Redressing (Clickjacking)
- Closed
- relates to
-
JRACLOUD-25143 Enable X-FRAME-Options header to implement clickjacking protection
- Closed
- supersedes
-
CONFCLOUD-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
- Closed