-
Bug
-
Resolution: Fixed
-
Medium
-
4.3.7, 5.1, 5.2, 5.3, 5.3.1, 5.4, 5.3.4, 5.4.2, 5.4.4
-
None
-
Just the regular Standalone 64bit Linux installer version (reproduced with 5.1.5 and 5.2.5).
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
When viewing a secure site over SSL, most browsers default behavior blocks or prompts with a warning any linked non-SSL content. The "What's New" iframe can be configured via help-paths.properties to load from https://docs.atlassian.com/ instead of http://docs.atlassian.com/ in an attempt to avoid this. However, that doesn't achieve much since the "What's New" destination page then does a redirect to non-SSL page located under http://www.atlassian.com/ which then attempts to redirect to https://www.atlassian.com/
Because the insecure redirect is blocked, the user gets an empty white box for the "What's New" feature or if they are lucky an error message saying the content couldn't be loaded. Some browsers will prompt the user asking if they would like to permit mixed content, others will not.
It seems clear to me that the redirect setup from https://docs.atlassian.com/ should go straight to the secure https://www.atlassian.com/ site since that's where the content is ultimately hosted anyway.
I don't want to host Confluence help locally and I'm not even sure that would include "What's New" notices anyway. The only feasible workaround I could come up with was to disable "What's New" notices, which is rather unfortunate.
To reproduce, visit the first URL and inspect the HTTP requests with Tamper Data or Fiddler:
https://docs.atlassian.com/confluence/docs-52/whatsnew/iframe
http://www.atlassian.com/en/software/confluence/whats-new-iframe/52
https://www.atlassian.com/en/software/confluence/whats-new-iframe/52
- duplicates
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is cloned from
-
ADM-48464 Loading...
[CONFSERVER-31065] "What's New" inconsistent user experience across browsers on SSL wiki site
I am running on 5.5.3 and I am using simple iFrame macro, where in the source is on http whereas my confluence in on https. On the page load I get a message
The page at *** was loaded over HTTPS, but requested an insecure resource ***. This request has been blocked; the content must be served over HTTPS.
SimratPal Singh
added a comment - - edited I am running on 5.5.3 and I am using simple iFrame macro, where in the source is on http whereas my confluence in on https. On the page load I get a message
The page at *** was loaded over HTTPS, but requested an insecure resource ***. This request has been blocked; the content must be served over HTTPS. This issue has been resolved yesterday for Confluence 5.5. What about a fix for Confluence 5.4 ?
I tried to upgrade the Confluence What's New Plugin to version 6.0.1 but still the behaviour is different with different browsers; it functions with IE, it gives a blank page with Firefox, and a Oops with Chrome.
Thanks for your help.
tpiotrowski Yup. Confirmed. Cheers fella, you're a legend!
I agree with Kerrin same version same problem - this should be addressed - its impacting thousands of users and workarounds are not supported or have negative impact potential.
-craig
This is still an issue with Confluence 5.4.4. (We are also on JIRA 6.2.3 but this has no issues.) Both are fully SSL.
What is the recommended, supported workaround as at the current Confluence version?
Joshua, have you tried updating the help.prefix parameter to include https? If not then your issue isn't covered by this bug report.
The latest version of the page with instructions on how to customise help paths has been deleted, but here's the version 5.2 link... https://confluence.atlassian.com/display/CONF52/Local+Confluence+Documentation
Not sure why they took it down, I'm still on version 5.2.5. Perhaps the help-paths.properties file no longer needs to be extracted from a jar.
Joshua Kugler
added a comment - This is still an issue in 5.4.4 That said, I've just checked it now and it appears that the redirect is now working. Looks like this is finally fixed.
As per the description, I tried that and it didn't work due to the redirect from https://docs.atlassian.com/confluence/docs-52/whatsnew/iframe to non-SSL http://www.atlassian.com/en/software/confluence/whats-new-iframe/52 which is blocked by modern browsers.
A workaround is of course not a fix, it's the only thing I could come up with to get the desired behaviour for the time being until someone at Atlassian gets around to configuring the web server to support this configuration correctly (it shouldn't redirect from SSL to non-SSL and finally back to SSL).
I disabled the "What's New" plugin and found an alternative way of informing users of new features. After this bug was fixed we encountered other issues with the plugin and so I just gave up on it.