Activity Stream Gadget does not load when HSTS is enabled

Summary

1. The Activity Stream gadget is blank when HSTS is enabled.
2. We currently do not have an official Atlassian documentation to integrate HSTS but the setup from http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat can be followed.

Steps to Reproduce

1. Stop JIRA
2. Edit the JIRA_INSTALL/conf/web.xml file
3. Add the following snippet :

   <filter>
   	<filter-name>httpHeaderSecurity</filter-name>
   	<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
   	<init-param>
   		<param-name>hstsMaxAgeSeconds</param-name>
   		<param-value>63072000</param-value>
   	</init-param>
   	<async-supported>true</async-supported>
   </filter>
   <filter-mapping>
   	<filter-name>httpHeaderSecurity</filter-name>
   	<url-pattern>/*</url-pattern>
   	<dispatcher>REQUEST</dispatcher>
   </filter-mapping>
   

4. Start JIRA

Expected Results

Activity Stream should work as expected.

Actual Results

Activity Stream will display blank.

The below exception is thrown in the developer console

Refused to display 'http://localhost:8722/jira722/plugins/servlet/gadgets/ifr?container=atlassi…t%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh#rpctoken=2715915' in a frame because it set 'X-Frame-Options' to 'DENY'.
batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:7287 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:8722" from accessing a cross-origin frame.(…)
 

Notes

Feature request for a documentation to integrate JIRA with HSTS has been raised here https://jira.atlassian.com/browse/JRA-46150