[CONFSERVER-40640] Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

Type: Suggestion
Resolution: Fixed
Fix Version/s: 8.9.1, 8.5.9, 9.0.1
Component/s: None
Labels:

UIS:
2
Support reference count:
5
Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

Currently in Confluence Cloud it's possible to turn clickjacking protection off (with the confluence.clickjacking.protection.disable) if customers want to embed their Confluence pages in their own portal. This isn't very safe, so it would be good to have an additional property to allow for setting the X-FRAME-OPTIONS ALLOW-FROM <domain> header to whitelist just the customer's portal domain.

relates to

CONFCLOUD-40640 Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

Gathering Interest

mentioned in: Page Failed to load

James Whitehead added a comment - 30/Jul/2024 9:14 AM

A fix for this issue is available in Confluence Data Center 9.0.1.
Upgrade now or check out the Release Notes to see what other issues are resolved.

James Whitehead added a comment - 30/Jul/2024 9:14 AM A fix for this issue is available in Confluence Data Center 9.0.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

James Whitehead made changes - 30/Jul/2024 6:55 AM

Fix Version/s

Original: 9.0.0 [ 106328 ]

James Whitehead made changes - 30/Jul/2024 6:54 AM

Fix Version/s

New: 9.0.1 [ 108911 ]

Kusal Kithul-Godage added a comment - 28/Jun/2024 9:09 AM

The following system property is now available for this purpose:

confluence.security.allowed.urls

Please refer to the following page for more details:

https://confluence.atlassian.com/doc/recognized-system-properties-190430.html

Kusal Kithul-Godage added a comment - 28/Jun/2024 9:09 AM The following system property is now available for this purpose: confluence.security.allowed.urls Please refer to the following page for more details: https://confluence.atlassian.com/doc/recognized-system-properties-190430.html

Kusal Kithul-Godage made changes - 28/Jun/2024 9:07 AM

Fix Version/s		New: 8.9.1 [ 107890 ]
Fix Version/s		New: 8.5.9 [ 107992 ]
Fix Version/s		New: 9.0.0 [ 106328 ]

Kusal Kithul-Godage made changes - 28/Jun/2024 9:06 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

Kusal Kithul-Godage made changes - 28/Jun/2024 9:06 AM

Status

Original: In Progress [ 3 ]

New: Waiting for Release [ 12075 ]

Kusal Kithul-Godage made changes - 28/Jun/2024 9:06 AM

PM Reviewed		New: 16/Apr/2024
QA Kickoff Status		New: Not Needed [ 14236 ]
Status	Original: Gathering Interest [ 11772 ]	New: In Progress [ 3 ]

Kusal Kithul-Godage made changes - 28/Jun/2024 9:05 AM

Link

New: This issue is resolved by CONFSRVDEV-31105 [ CONFSRVDEV-31105 ]

SET Analytics Bot made changes - 06/May/2024 2:01 AM

UIS

Original: 1

New: 2

Assignee:: Unassigned

Reporter:: Nick Mason

Votes:: 29 Vote for this issue

Watchers:: 26 Start watching this issue

Created:: 02/Feb/2016 12:18 AM

Updated:: 30/Jul/2024 9:14 AM

Resolved:: 28/Jun/2024 9:06 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: James Whitehead added a comment - 30/Jul/2024 9:14 AM

Expand comment: James Whitehead added a comment - 30/Jul/2024 9:14 AM

Collapse comment: Kusal Kithul-Godage added a comment - 28/Jun/2024 9:09 AM

Expand comment: Kusal Kithul-Godage added a comment - 28/Jun/2024 9:09 AM

People

Dates