Summary

1. The Activity Stream gadget is blank when HSTS is enabled.
2. We currently do not have an official Atlassian documentation to integrate HSTS but the setup from http://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat can be followed.

Steps to Reproduce

1. Stop JIRA
2. Edit the JIRA_INSTALL/conf/web.xml file
3. Add the following snippet :

   <filter>
   	<filter-name>httpHeaderSecurity</filter-name>
   	<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
   	<init-param>
   		<param-name>hstsMaxAgeSeconds</param-name>
   		<param-value>63072000</param-value>
   	</init-param>
   	<async-supported>true</async-supported>
   </filter>
   <filter-mapping>
   	<filter-name>httpHeaderSecurity</filter-name>
   	<url-pattern>/*</url-pattern>
   	<dispatcher>REQUEST</dispatcher>
   </filter-mapping>
   

4. Start JIRA

Expected Results

Activity Stream should work as expected.

Actual Results

Activity Stream will display blank.

The below exception is thrown in the developer console

Refused to display 'http://localhost:8722/jira722/plugins/servlet/gadgets/ifr?container=atlassi…t%2Fgadgets%2Factivitystream-gadget.xml&libs=auth-refresh#rpctoken=2715915' in a frame because it set 'X-Frame-Options' to 'DENY'.
batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:7287 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:8722" from accessing a cross-origin frame.(…)
 

Notes

Feature request for a documentation to integrate JIRA with HSTS has been raised here https://jira.atlassian.com/browse/JRA-46150