-
Bug
-
Resolution: Obsolete
-
Medium (View bug fix roadmap)
-
None
-
4.4.4, 5.0 - EAP, 5.1.4, 5.2.5
-
4.04
-
3
-
Severity 2 - Major
-
A mixed content warning is triggered on the issue navigator with the attached navigator.zip
backup. This data has two projects with non-overlapping issue types.
- Configure JIRA for SSL.
- Restore navigator.zip.
- Open the All Filter. Its a favourite.
- (BUG) Edit the filter. You get a mixed content warning.
This does not happen in IE9.
This only seems to happen if you select a project and issue type in IE8. In IE7 this seems to happen all the time.
- is cloned from
-
-
- Closed
-
- is incorporated by
-
-
- Closed
-
[JRASERVER-26825] Mixed Content Warnings from the Issue Navigator under IE7 and IE8
Some people are seeing this warning when they have a custom security configuration in IE that blocks data URIs.
Right - but just to be clear, this is not the only way that this behaviour occurs?
It also occurs for people using stock standard IE7 and IE8, right? (But not IE 9).
I think the important question is why does it not show that under IE9?
I would guess that it is a bogus warning, and in IE9 Microsoft made a deliberate choice to no longer warn on it.
Of course, it could be the other way around. It could be a legitimate risk and IE9 is buggy in some way that fails to recognise it.
I think the answer to that question tells you if we should try to fix, or close won't fix.
Some people are seeing this warning when they have a custom security configuration in IE that blocks data URIs. If we were to support this it would mean we need to stop using data URIs in our CSS. There are a few ways we could do this, but all are likely to require many touched to the JIRA front end, because we use this all over the place. The work that would require means we need to track this as a feature request. The opportunity cost would then be one fewer features in JIRA 6.1. It's my opinion that we're better off delivering new features than adding support for this. Yilin has created a feature request for this at JRA-31832.
Forwarding message from the customer:
JIRA PM:
Our concern is that given we have corporate security policies, we will not be able to use the current versions of your tools due to the amount of security warnings generated making the tool extremely frustrating to use.
We are in the middle of an upgrade programme for your toolset (hardware and versions) which is now blocked due to this issue.
Our InfoSec group will not allow the global policy of DATA URI blocking to be removed from the environment as this increases the risk to attack.
The use of DATA URI's in your style sheets )introduced in Jira 5 and Confluence do not sit well with more secure environment. We do not see similar issues with the Jira 4 versions we have deployed.
The same issue can be reproduced on IE 8 with the last version of JIRA, by adding the IE software policy (via the IEPOLICY.reg file), The root cause fo the issue seems to we're using data URL in the background process to load the image which is unfortunately consider as unsecured data on IE 8. The test is done by using the IE and opening SAC.
clepetit and edalgliesh, the issue seems to more or less environment related, I've discussed this with Andreas, since this is only appear in IE 8, but I think if we can get the JIRA PM opinion on this should be great, as it does have some impact for the IE user.
Thank you for raising this issue. Unfortunately, IE8 is not supported. Please re-open the issue if you are still facing this issue in newer versions of the supported browsers and JIRA.