Status: Closed (View Workflow)
Affects Version/s: 8.16.0, 8.16.1
Component/s: Issue - Attachments
Introduced in Version:8.16
Support reference count:22
Symptom Severity:Severity 3 - Minor
Bug Fix Policy:
Current Status:Atlassian Update – 27 May 2021 Hello, this issue has been fixed and will be included in the next release. To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers. Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses property. Regards, Jira Server and Data Center Team
When trying to play any video attachment on issues by clicking on them using Google Chrome or Safari, the video doesn't start playing and returns http status code 302.
- We have installed a fresh Jira Software Instance on version 8.16 (Affected Version) and also we installed a fresh Jira Software instances on versions 8.15.1, 8.15.0, 8.14.1, 8.14.0 and 8.13.4 only for troubleshooting purpose.
- Created an Project new project.
- Created an Issue (Bug and Task) at the project created on step before.
- Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.
It was expected that the video would start to play on both web browsers.
The video doesn't start to play only on version 8.16 (Affected Version) and since the request doesn't contain JSESSIONID cookies (in case of Google Chrome), it will be redirected to login page with 302 http status code:
- In a nutshell there will be redirection loop
The problem is a functional regression that happened in Safari/Chrome after introducing Content-Security-Policy header. This is was done as part of the improvement of Jira attachment content security.
After setting Content-Security-Policy header to sandbox value, Google Chrome treat it as "unique origin", see Content Security Policy
This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.
And related docs CSP: sandbox
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.
so this prevents a browser from sending the required cookies to Jira.
In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.