[CONFSERVER-29230] UI Redressing (Clickjacking)

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.8.15, 7.4.10, 7.12.3
Affects Version/s: 5.1.1
Component/s: None
Labels:

Fixed in Long Term Support Release/s:

Download 7.4
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

Confluence is vulnerable to Clickjacking. That is, it is possible to frame confluence from a page hosted in a different domain and trick the user into performing an action they did not intend to perform, for example changing their display name.

This issue can be addressed by using the X-Frame-Options header and or through the CSP frame-ancestors directive. When fixing this issue we need to ensure that resources that need to be able to be framed are still allowed to be framed, e.g. gadget resources.

duplicates

CONFSERVER-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Closed

relates to

CONFCLOUD-29230 UI Redressing (Clickjacking)

Closed

supersedes

CONFSERVER-22952 Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection

Closed

is related to: SCT-1150 Failed to load

mentioned in: Page No Confluence page found with the given URL.; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(15 mentioned in)

No work has yet been logged on this issue.

Assignee:: Phong Quoc Le (Inactive)

Reporter:: Adrian Bravo

Affected customers:: 7 This affects my team

Watchers:: 28 Start watching this issue

Created:: 08/May/2013 1:31 PM

Updated:: 31/Jan/2025 7:11 PM

Resolved:: 14/Oct/2015 2:37 PM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates