Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
2
-
6
-
Description
Request Description
In regards to clickjacking protection, Jira supports an all or nothing approach.
You can have it enabled for the full site, disable it for selected pages or disable it for the entire site.
When gadgets are not available for certain functionalities, the option to load Jira content in Confluence is by using the HTML Macro together with an iFrame.
This is also true when customers need to include Jira pages within an iFrame in their own applications.
For some customers, completely disabling the security headers in Jira may not be an option, even for specific pages.
While browsers support an option on which you can configure specific target sites to load content in an iFrame, Jira doesn't provide a configuration for it.
Current Scenario
As described in JRASERVER-25143 and in Security headers in JIRA, Jira uses the following response headers related to Clickjacking:
| Header | Value |
|---|---|
| X-Frame-Options | SAMEORIGIN |
| Content-Security-Policy | frame-ancestors 'self' |
As explained in Security headers in JIRA, using JVM arguments we can completely disable these headers for specific pages or for the entire site.
Expected Scenario
In addition to the current scenario, Jira should have a configuration to allow access to the entire site for specific target applications while preventing the access to any other.
This can be achieved by providing a list of allowed sites using the following response headers:
Both directives may be required because of different browser compatibility:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#Browser_compatibility
Workaround
If using a reverse proxy, modify the response headers with the clickjacking directives highlighted above.
Changes on Nginx configuration
The goal with this Nginx change is to modify the CSP: frame-ancestors response header sent from Jira, allowing specific services to load a Jira page within an iFrame.
By default, Jira sends the following response header for all requests:
Content-Security-Policy: frame-ancestors 'self';
What we need to do from Nginx is to remove this response header and send a new one with the changes we need.
To remove the default response header, the following directive can be used.
proxy_hide_header Content-Security-Policy;
To add the header with the needed configuration, the following directive should be used.
add_header Content-Security-Policy "frame-ancestors 'self' <external-service-URL>" always;
<external-service-URL> should be replaced using the standard defined for host-source in this link.
Both of the above configuration should be added within the location directive related to Jira in the Nginx config file.