Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-57934

Adding panel,excerpt,warning,note,tip or info macro to the page in edit mode will trigger mixed content action in browser

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • 7.3.2
    • 6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.15.1, 6.15.2, 6.15.4, 7.0.1
    • Content - Page

      Issue Summary

      Editing page with a panel, warning, note, tip or info macro over https in the browser will trigger mix content action, it will break the certificate trust on request of plugins/servlet/confluence/placeholder/macro-heading?definition=e25vdGV9&locale=en_US&version=2.

      Environment

      Confluence 6.14.x
      Confluence 6.15.x
      Confluence 7.0.x

      Connector with SSL

      Steps to Reproduce

      1. Create a page and add an excerpt, warning, note, tip or info macro
      2. Open inspect tools/network tab and edit the page once again.

      Expected Results

      The certificate will stay trusted (green) and all request will be resolved over HTTPS

      Actual Results

      At least one request is resolved over HTTP and certificate is not trusted because of mixed content.
      localhost_6.14.1.har.zip

      Notes

      The issue does not exist in 6.13.x

      Workaround

      Some users have found the below custom HTML resolves the issue in Chrome:

      Copy text/code below into BODY section of Configuration --> Custom HTML

       

      <script type="text/javascript">
        function fixFrameContent(frameContent, broken_url_prefix) {
          var replaced = false;
          // Replace broken img src urls
          frameContent.find("img").each(function(index) {
            var srcUrl = AJS.$(this).attr("src");
            if (srcUrl.toLowerCase().startsWith(broken_url_prefix)) {
              var srcNewUrl = srcUrl.substring(broken_url_prefix.length);
              AJS.$(this).attr("src", srcNewUrl);
              replaced=true;
            };
          });  // each img
           
          // Replace broken tables for macro - background img url is broken
          // Iterate over all relevant tables to check background-image URL
          frameContent.find("table.wysiwyg-macro").each(function(index) {
            AJS.log(AJS.$(this));
            var bgiRaw = AJS.$(this).css("background-image");
            if (!bgiRaw) return true;  // nothing to do, continue with next element
            // remove 'url(...)' around the content
            var bgiUrlMatch = bgiRaw.match(/url\(["']?(.*)["']?\)/);
            if (!bgiUrlMatch) return true;  // nothing to do, continue with next element
            var bgiUrl = bgiUrlMatch[1];
            if (bgiUrl.toLowerCase().startsWith(broken_url_prefix)) {
              // Remove broken URL, use relative path!
              var bgiNewUrl = bgiUrl.substring(broken_url_prefix.length);
              AJS.$(this).css("background-image", "url('"+bgiNewUrl+"')");
            }
            replaced = true;
          }); // each macro in iframe   
        };
       
        AJS.toInit(function() {
          if (navigator.userAgent.indexOf("Trident/")>-1) {
            AJS.log("Fixing broken macro title - Internet Explorer - fix not required");
            return;
          }
          // Get Base URL
          var broken_url_prefix = Confluence.getBaseUrl().toLowerCase();
          // Replace https with http
          if (!broken_url_prefix.startsWith("https")) {
            AJS.log("Fixing broken macro title - no https base URL "+broken_url_prefix);
            return;
          }
          // Remove https and add http
          broken_url_prefix = "http" + broken_url_prefix.substring(5);
          AJS.log("Fixing broken macro title - fixing URL prefix "+broken_url_prefix);
       
          // Bind to rich text editor event, triggered when edit button is pressed
          AJS.bind("init.rte", function() {   
            AJS.$(document).bind('postPaste', function(e, pl, o) {
              // iframe is not filled when postPaste occurs, so wait and retry a few times
              var copyPasteRetry = 5;
              var pasteRetryHandle = setInterval(function() {
                copyPasteRetry--;
                if(copyPasteRetry<=0) {
                  clearInterval(pasteRetryHandle);
                  return;          
                };
                // Find out what is being pasted
                var $pasted = $(o.node);
                // Get iframe containing the editor HTML, including the relevant macro tables
                var frameContent = AJS.$("#wysiwygTextarea_ifr").contents();
                // Search editor content for broken links
                replaced = fixFrameContent(frameContent, broken_url_prefix);
                // Stop polling in after a complete next iteration if at least one macro was fixed
                if (replaced && copyPasteRetry>2) copyPasteRetry=2;
              }, 500); // retry interval 500ms
            }); // bind postPaste
               
            var counter = 10;
            var replaced = false;
       
            // iframe is not filled when RTE event occurs
            // (Re-)start polling, found no event to wait until editor iframe is filled
            // and onLoad does not work.
            var timerHandle = setInterval(function() {
              // Stop polling when counter reaches zero
              counter--;
              if (counter<=0) {
                clearInterval(timerHandle);
                return;
              }
              // Get iframe containing the editor HTML, including the relevant macro tables
              var frameContent = AJS.$("#wysiwygTextarea_ifr").contents();
              replaced = fixFrameContent(frameContent, broken_url_prefix);
              // Stop polling in after a complete next iteration if at least one macro was replaced
              if (replaced && counter>2) counter=2;
            }, 1000); // every 1000ms
          });
        }); // toInit
      </script>
      

        1. localhost_6.14.1.har.zip
          1.77 MB
        2. mixed_contet.jpeg
          mixed_contet.jpeg
          1.83 MB

            [CONFSERVER-57934] Adding panel,excerpt,warning,note,tip or info macro to the page in edit mode will trigger mixed content action in browser

            Minh Tran added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 7.3.2
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Minh Tran added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.3.2 Upgrade now or check out the Release Notes to see what other issues are resolved.

            Lokeswara added a comment -

            Hello Atlassian Team,

            When are you guys fixing this issue, please expedite asap?

             

             

            Lokeswara added a comment - Hello Atlassian Team, When are you guys fixing this issue, please expedite asap?    

            Lokeswara added a comment -

            Atlassian team any update on this

            Lokeswara added a comment - Atlassian team any update on this

            Lokeswara added a comment -

            Atlassian team,

             

            Any update on this please provide the solution as earliest

            Lokeswara added a comment - Atlassian team,   Any update on this please provide the solution as earliest

            Lokeswara added a comment - - edited

            @Atlassian Team

            When you guys can fix this issue really its hampering our work.

             

            My confluence version is 7.1.2

            Lokeswara added a comment - - edited @Atlassian Team When you guys can fix this issue really its hampering our work.   My confluence version is 7.1.2

            oshen@atlassian.com why did you remove this from the sprint again? It's been almost 10 months and looks like a trivial thing to fix. This bug is keeping us from upgrading which we really need to do because of the security issues with our current confluence.

            wilfred.mollenvanger added a comment - oshen@atlassian.com why did you remove this from the sprint again? It's been almost 10 months and looks like a trivial thing to fix. This bug is keeping us from upgrading which we really need to do because of the security issues with our current confluence.

            Issa added a comment -

            Hi Sergey Papurin, we are behind a corporate reverse proxy and they won't allow this type of hack. Anyway, this shouldn't be promoted. Atlassian should fix the regression they introduced instead. How many instance are not upgrading due to this issue? In case a security upgrade is mandatory, then we become hostages. Regards

            Issa added a comment - Hi Sergey Papurin, we are behind a corporate reverse proxy and they won't allow this type of hack. Anyway, this shouldn't be promoted. Atlassian should fix the regression they introduced instead. How many instance are not upgrading due to this issue? In case a security upgrade is mandatory, then we become hostages. Regards

            On Nginx we use redirection from 80 to 443 like:

            return 301 https://$host$request_uri; 

            And is working like a charm

            Also it's mentioned in CONFSERVER-58098

            Can be added like a workaround for Nginx

             

            Sergey Papurin added a comment - On Nginx we use redirection from 80 to 443 like: return 301 https:// $host $request_uri; And is working like a charm Also it's mentioned in  CONFSERVER-58098 Can be added like a workaround for Nginx  

            Any update on this one?

            Maarten van Bree added a comment - Any update on this one?

            Really Atlassian, a workaround changing the bad urls in the browser with javascript? Just fix the thing!

            wilfred.mollenvanger added a comment - Really Atlassian, a workaround changing the bad urls in the browser with javascript? Just fix the thing!

              qpham@atlassian.com Quan Pham
              gpaunovic g
              Affected customers:
              79 This affects my team
              Watchers:
              94 Start watching this issue

                Created:
                Updated:
                Resolved: