Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-40640

Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

    • 2
    • 5
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Currently in Confluence Cloud it's possible to turn clickjacking protection off (with the confluence.clickjacking.protection.disable) if customers want to embed their Confluence pages in their own portal. This isn't very safe, so it would be good to have an additional property to allow for setting the X-FRAME-OPTIONS ALLOW-FROM <domain> header to whitelist just the customer's portal domain.

            [CONFSERVER-40640] Add system property to allow for whitelisting domain(s) when clickjacking protection is disabled

            A fix for this issue is available in Confluence Data Center 9.0.1.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Data Center 9.0.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

            The following system property is now available for this purpose:

            confluence.security.allowed.urls

            Please refer to the following page for more details:

            https://confluence.atlassian.com/doc/recognized-system-properties-190430.html

             

            Kusal Kithul-Godage added a comment - The following system property is now available for this purpose: confluence.security.allowed.urls Please refer to the following page for more details: https://confluence.atlassian.com/doc/recognized-system-properties-190430.html  

            But since the built in clickjacking is setting a hardcoded 
            frame-ancestors 'self'
            Maybe there is a possibility to extend that with whitelisted domains instead of writing your own filter and disabled the built in clickjacking protection?

            Ksawery Buczkowski added a comment - But since the built in clickjacking is setting a hardcoded  frame-ancestors 'self' Maybe there is a possibility to extend that with whitelisted domains instead of writing your own filter and disabled the built in clickjacking protection?

            Ksawery Buczkowski added a comment - - edited

            Although it will not work for most browsers:
            https://caniuse.com/mdn-http_headers_x-frame-options_allow-from

            You can actually override the settings by disabling the clickjacking protection:
            -Dconfluence.clickjacking.protection.disable=true
            And enabling the httpHeaderSecurity in conf/web.xml
            <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <async-supported>true</async-supported>
            <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>true</param-value>
            </init-param>
            <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>ALLOW-FROM</param-value>
            </init-param>
            <init-param>
            <param-name>antiClickJackingUri</param-name>
            <param-value>example.com</param-value>
            </init-param>
            </filter>

            <filter-mapping>
            <filter-name>httpHeaderSecurity</filter-name>
            <url-pattern>/*</url-pattern>
            <dispatcher>REQUEST</dispatcher>
            </filter-mapping>

            Ksawery Buczkowski added a comment - - edited Although it will not work for most browsers: https://caniuse.com/mdn-http_headers_x-frame-options_allow-from You can actually override the settings by disabling the clickjacking protection: -Dconfluence.clickjacking.protection.disable=true And enabling the httpHeaderSecurity in conf/web.xml <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>example.com</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>

            +1 for this ticket.  We would like to use Confluence pages as a source for web application help pop-ups, and would like to show just the content of the page, without the associated Confluence left navigation pane, etc.

            Richard Ward added a comment - +1 for this ticket.  We would like to use Confluence pages as a source for web application help pop-ups, and would like to show just the content of the page, without the associated Confluence left navigation pane, etc.

            +1 for this ticket. We have few customers who use our add on Gilly/EduBrite to add Learning content in confluence, which is no issue. But this enhancement is needed by them to reuse confluence content in the Course (as an iframe) they create in our system. A related request is to also allow a way to turn off header/footer/navigation using CSS or some other way when the confluence page isn't the top level window (embedded as iframe). This was possible in Confluence Server using the custom html code.

            Ajay Upadhyaya added a comment - +1 for this ticket. We have few customers who use our add on Gilly/EduBrite to add Learning content in confluence, which is no issue. But this enhancement is needed by them to reuse confluence content in the Course (as an iframe) they create in our system. A related request is to also allow a way to turn off header/footer/navigation using CSS or some other way when the confluence page isn't the top level window (embedded as iframe). This was possible in Confluence Server using the custom html code.

              Unassigned Unassigned
              nmason Nick Mason
              Votes:
              29 Vote for this issue
              Watchers:
              26 Start watching this issue

                Created:
                Updated:
                Resolved: