-
Bug
-
Resolution: Fixed
-
High
-
6.14.0, 6.14.1, 6.14.2, 6.14.3, 6.15.1, 6.15.2, 6.15.4, 7.0.1
-
61
-
Severity 3 - Minor
-
72
-
Issue Summary
Editing page with a panel, warning, note, tip or info macro over https in the browser will trigger mix content action, it will break the certificate trust on request of plugins/servlet/confluence/placeholder/macro-heading?definition=e25vdGV9&locale=en_US&version=2.
Environment
Confluence 6.14.x
Confluence 6.15.x
Confluence 7.0.x
Connector with SSL
Steps to Reproduce
- Create a page and add an excerpt, warning, note, tip or info macro
- Open inspect tools/network tab and edit the page once again.
Expected Results
The certificate will stay trusted (green) and all request will be resolved over HTTPS
Actual Results
At least one request is resolved over HTTP and certificate is not trusted because of mixed content.
localhost_6.14.1.har.zip
Notes
The issue does not exist in 6.13.x
Workaround
Some users have found the below custom HTML resolves the issue in Chrome:
Copy text/code below into BODY section of Configuration --> Custom HTML
<script type="text/javascript"> function fixFrameContent(frameContent, broken_url_prefix) { var replaced = false; // Replace broken img src urls frameContent.find("img").each(function(index) { var srcUrl = AJS.$(this).attr("src"); if (srcUrl.toLowerCase().startsWith(broken_url_prefix)) { var srcNewUrl = srcUrl.substring(broken_url_prefix.length); AJS.$(this).attr("src", srcNewUrl); replaced=true; }; }); // each img // Replace broken tables for macro - background img url is broken // Iterate over all relevant tables to check background-image URL frameContent.find("table.wysiwyg-macro").each(function(index) { AJS.log(AJS.$(this)); var bgiRaw = AJS.$(this).css("background-image"); if (!bgiRaw) return true; // nothing to do, continue with next element // remove 'url(...)' around the content var bgiUrlMatch = bgiRaw.match(/url\(["']?(.*)["']?\)/); if (!bgiUrlMatch) return true; // nothing to do, continue with next element var bgiUrl = bgiUrlMatch[1]; if (bgiUrl.toLowerCase().startsWith(broken_url_prefix)) { // Remove broken URL, use relative path! var bgiNewUrl = bgiUrl.substring(broken_url_prefix.length); AJS.$(this).css("background-image", "url('"+bgiNewUrl+"')"); } replaced = true; }); // each macro in iframe }; AJS.toInit(function() { if (navigator.userAgent.indexOf("Trident/")>-1) { AJS.log("Fixing broken macro title - Internet Explorer - fix not required"); return; } // Get Base URL var broken_url_prefix = Confluence.getBaseUrl().toLowerCase(); // Replace https with http if (!broken_url_prefix.startsWith("https")) { AJS.log("Fixing broken macro title - no https base URL "+broken_url_prefix); return; } // Remove https and add http broken_url_prefix = "http" + broken_url_prefix.substring(5); AJS.log("Fixing broken macro title - fixing URL prefix "+broken_url_prefix); // Bind to rich text editor event, triggered when edit button is pressed AJS.bind("init.rte", function() { AJS.$(document).bind('postPaste', function(e, pl, o) { // iframe is not filled when postPaste occurs, so wait and retry a few times var copyPasteRetry = 5; var pasteRetryHandle = setInterval(function() { copyPasteRetry--; if(copyPasteRetry<=0) { clearInterval(pasteRetryHandle); return; }; // Find out what is being pasted var $pasted = $(o.node); // Get iframe containing the editor HTML, including the relevant macro tables var frameContent = AJS.$("#wysiwygTextarea_ifr").contents(); // Search editor content for broken links replaced = fixFrameContent(frameContent, broken_url_prefix); // Stop polling in after a complete next iteration if at least one macro was fixed if (replaced && copyPasteRetry>2) copyPasteRetry=2; }, 500); // retry interval 500ms }); // bind postPaste var counter = 10; var replaced = false; // iframe is not filled when RTE event occurs // (Re-)start polling, found no event to wait until editor iframe is filled // and onLoad does not work. var timerHandle = setInterval(function() { // Stop polling when counter reaches zero counter--; if (counter<=0) { clearInterval(timerHandle); return; } // Get iframe containing the editor HTML, including the relevant macro tables var frameContent = AJS.$("#wysiwygTextarea_ifr").contents(); replaced = fixFrameContent(frameContent, broken_url_prefix); // Stop polling in after a complete next iteration if at least one macro was replaced if (replaced && counter>2) counter=2; }, 1000); // every 1000ms }); }); // toInit </script>
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
[CONFSERVER-57934] Adding panel,excerpt,warning,note,tip or info macro to the page in edit mode will trigger mixed content action in browser
Hello Atlassian Team,
When are you guys fixing this issue, please expedite asap?
Atlassian team,
Any update on this please provide the solution as earliest
@Atlassian Team
When you guys can fix this issue really its hampering our work.
My confluence version is 7.1.2
oshen@atlassian.com why did you remove this from the sprint again? It's been almost 10 months and looks like a trivial thing to fix. This bug is keeping us from upgrading which we really need to do because of the security issues with our current confluence.
Hi Sergey Papurin, we are behind a corporate reverse proxy and they won't allow this type of hack. Anyway, this shouldn't be promoted. Atlassian should fix the regression they introduced instead. How many instance are not upgrading due to this issue? In case a security upgrade is mandatory, then we become hostages. Regards
On Nginx we use redirection from 80 to 443 like:
return 301 https://$host$request_uri;
And is working like a charm
Also it's mentioned in CONFSERVER-58098
Can be added like a workaround for Nginx
Really Atlassian, a workaround changing the bad urls in the browser with javascript? Just fix the thing!
A fix for this issue is available to Server and Data Center customers in Confluence 7.3.2
Upgrade now or check out the Release Notes to see what other issues are resolved.