Issue Summary

User attempts to authenticate to Fisheye using OAuth from the Jira dev panel over a Tunneled Application link results in "Xsrf token validation failed"

This is reproducible on Data Center: (yes)

Steps to Reproduce

• Create instant environment for FeCru 4.9.0 without SSL. Make sure the you have correctly configured the http Site URL for your instance.
• Create and add a git repository to Fisheye. This is to sync commits to the Fisheye server.
• Install the Application tunnel plugin in Fisheye.
• Setup Application tunnel to Cloud.
• Create Application link using the above configured tunnelled link
• Make sure all links show successful two way connection.
• Create a sample Project in JIRA Cloud and push commits to the added git repo having the same Jira key.
• Make sure the commits would is indexed in Fisheye which will in turn show up in Jira Cloud issue dev panel having the same key through the tunneled link.
• When you try open the commits in the Jira isue dev panel, It will first ask to approve the OAuth request from Fisheye. However this operation fails with error "Xsrf token validation failed".

Expected Results

• Oauth authentication succeeds and the commits are displayed in the Jira dev panel

Actual Results

• Oauth Attempt fails with "Xsrf token validation failed" displayed in Fisheye.
  

Workaround

FeCru is using Referrer Policy: strict-origin-when-cross-origin because of security. This value (strict-origin-when-cross-origin) means that:

Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

To solve this, configure SSL to Fisheye instance (either using proxy or https Fisheye connector)
Note that HTTPS should be there for the browser traffic only (Site URL). For tunnels it needs to be the original HTTP port which is set using the JVM args -Dsecure.tunnel.upstream.port=<<http-port>>.