[CONFSERVER-40640] Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

Type: Suggestion
Resolution: Fixed
Fix Version/s: 8.9.1, 8.5.9, 9.0.1
Component/s: None
Labels:

UIS:
2
Support reference count:
5
Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

Currently in Confluence Cloud it's possible to turn clickjacking protection off (with the confluence.clickjacking.protection.disable) if customers want to embed their Confluence pages in their own portal. This isn't very safe, so it would be good to have an additional property to allow for setting the X-FRAME-OPTIONS ALLOW-FROM <domain> header to whitelist just the customer's portal domain.

relates to

CONFCLOUD-40640 Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

Gathering Interest

mentioned in: Page Failed to load

No work has yet been logged on this issue.

Assignee:: Unassigned

Reporter:: Nick Mason

Votes:: 29 Vote for this issue

Watchers:: 26 Start watching this issue

Created:: 02/Feb/2016 12:18 AM

Updated:: 30/Jul/2024 9:14 AM

Resolved:: 28/Jun/2024 9:06 AM

Confluence Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates