Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-95123

Knowledge base article cannot be displayed on the customer portal when JSM is integrated with Confluence 8.5.7+

      Issue Summary

      Knowledge base article cannot be displayed on the customer portal when JSM is integrated with Confluence 8.5.7+. When attempting to preview a Knowledge Base article you receive an error message in the iframe popup "<confluence site URL> refused to connect":

      Environment:

      • Any JSM Data Center version
      • Confluence Data Center on 8.5.7 or any higher version

      Note

      This issue only happens when Confluence is on 8.5.7.

      More information about the root cause in the KB article: https://confluence.atlassian.com/jirakb/kb-preview-is-failing-with-a-refused-to-frame-site-because-an-ancestor-violates-the-following-content-security-policy-directive-frame-ancestors-self-error-in-browser-s-console-1388151291.html

      Steps to Reproduce

      • Integrate JSM with Confluence to provide Customers with a knowledge base
      • Go to the customer portal and search for any KB article
      • Click on the article to open it in an iFrame on the customer portal

      Expected Results

      The article should be displayed:

      Actual Results

      The article is not displayed and we receive an error message in the iframe popup "<confluence site URL> refused to connect":

      Workaround

      1. Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change <JIRA hostname> with yours before applying configuration.); - See Configuring System Properties for more on setting System Properties.
        • If Jira is not running as a service and the JVM parameters are configured in the setenv.sh or the setenv.bat file, please add the row below:
          CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA hostname>\" ${CATALINA_OPTS}"
          

      – If Jira is running as a Windows service, then you will need to add the Java Option below (without double quotes):

      -Dhttp.header.security.content.security.policy.value=frame-ancestors 'self' <JIRA hostname>
      
      1. Perform a rolling restart of Confluence

        1. ExpectedBehavior.png
          ExpectedBehavior.png
          70 kB
        2. ObservedBehavior.png
          ObservedBehavior.png
          20 kB

            [CONFSERVER-95123] Knowledge base article cannot be displayed on the customer portal when JSM is integrated with Confluence 8.5.7+

            A fix for this issue is available in Confluence Data Center 9.0.1.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Data Center 9.0.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available in Confluence Server and Data Center 8.5.9.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Server and Data Center 8.5.9. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Hi everyone,

            I have some information about the fix - it's now released in 8.9.1 and will also be available in 8.5.9 (if everything goes well this version should be released in the next few days).

            The fix was to include all applink urls to the header Content-Security-Policy by default. So now if you have any applinks setup in your instance, this header will look like this:  

            frame-ancestors 'self' <Hostname JSM> <Hostname JSD>

            If you have used workaround from KB article and added system property http.header.security.content.security.policy.value, I recommend to remove this system property from your system and rely on the fix. If you decide to keep this setting, then please keep in mind that it overrides completely this header. So in future if you add any new applinks to your system, the issue could re-appear for those new domains unless you add them to the system property as well.

            We also added new system property, which could be used to modify value of this header - confluence.security.allowed.urls. The main difference between this new system property and http.header.security.content.security.policy.value is that the new one will add urls to the existing Content-Security-Policy header, but old one will completely override it. Information about new system property is available here - https://confluence.atlassian.com/doc/recognized-system-properties-190430.html. You will only need it if you have any domains which are not matching with the one that you have in your applinks.

             

             

             

            Irina Tiapchenko added a comment - Hi everyone, I have some information about the fix - it's now released in 8.9.1 and will also be available in 8.5.9 (if everything goes well this version should be released in the next few days). The fix was to include all applink urls to the header Content-Security-Policy by default. So now if you have any applinks setup in your instance, this header will look like this:   frame-ancestors 'self' <Hostname JSM> <Hostname JSD> If you have used workaround from KB article and added system property http.header.security.content.security.policy.value , I recommend to remove this system property from your system and rely on the fix. If you decide to keep this setting, then please keep in mind that it overrides completely this header. So in future if you add any new applinks to your system, the issue could re-appear for those new domains unless you add them to the system property as well. We also added new system property, which could be used to modify value of this header - confluence.security.allowed.urls . The main difference between this new system property and http.header.security.content.security.policy.value is that the new one will add urls to the existing Content-Security-Policy header, but old one will completely override it. Information about new system property is available here - https://confluence.atlassian.com/doc/recognized-system-properties-190430.html. You will only need it if you have any domains which are not matching with the one that you have in your applinks.      

            Alex Gay added a comment -

            Hi

             

            When will the LTS version be available?

             

            Latest Long Term Support release ?: 8.5.8 | 01-Apr-2024 | Release notes

            Alex Gay added a comment - Hi   When will the LTS version be available?   Latest Long Term Support release  ? : 8.5.8 | 01-Apr-2024 |  Release notes

            A fix for this issue is available in Confluence Data Center 8.9.1.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Data Center 8.9.1. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Make sure that you specify the user-facing DNS Alias or hostname of your Jira Service Management instance.  If you users access your Jira Service Management by more than 1 alias, I think you can also specify multiple names.  This needs to match the URL that the end-user will be using in their web browser - not necessarily the hostname or servername of your JSM service.

            For example:

            #/opt/atlassian/confluence/bin/setenv.sh
            
            CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' helpdesk.mycompany.example.com support.mycompany.example.com\" ${CATALINA_OPTS}"

            Jeffrey Thornsen added a comment - Make sure that you specify the user-facing DNS Alias or hostname of your Jira Service Management instance.  If you users access your Jira Service Management by more than 1 alias, I think you can also specify multiple names.  This needs to match the URL that the end-user will be using in their web browser - not necessarily the hostname or servername of your JSM service. For example: #/opt/atlassian/confluence/bin/setenv.sh CATALINA_OPTS= "-Dhttp.header.security.content.security.policy.value=\" frame-ancestors 'self' helpdesk.mycompany.example.com support.mycompany.example.com\ " ${CATALINA_OPTS}"

            Hi,

             

            I have the same problem, applying the workaround has no effect, have you an other proposal?

            Perrino David added a comment - Hi,   I have the same problem, applying the workaround has no effect, have you an other proposal?

            I have the same problem, applying the workaround has no effect, is there a trick to it?

            Clemens Schwarz added a comment - I have the same problem, applying the workaround has no effect, is there a trick to it?

            Brent Nye added a comment - - edited

            Likewise, I used the -Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <Hostname Jira Application Server>\"  without success. I even tried removing the escape characters (backslash), which had no effect.

            Brent Nye added a comment - - edited Likewise, I used the -Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <Hostname Jira Application Server>\"  without success. I even tried removing the escape characters (backslash), which had no effect.

            Hi,

            which value is required in the workaround in the JVM options for <JIRA hostname>? Is it the hostname of the Application Server? I have set the following option in Tomcat, but unfortunately its not working:

            -Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <Hostname Jira Application Server>\"

             

            Pls help

             

            best regards, 

            florian

            Florian Schüller added a comment - Hi, which value is required in the workaround in the JVM options for <JIRA hostname>? Is it the hostname of the Application Server? I have set the following option in Tomcat, but unfortunately its not working: -Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <Hostname Jira Application Server>\"   Pls help   best regards,  florian

              03cb0c04aa4f Irina Tiapchenko
              jrey Julien Rey
              Affected customers:
              30 This affects my team
              Watchers:
              44 Start watching this issue

                Created:
                Updated:
                Resolved: