Video attachments stopped playing on issues in Chrome/Safari browsers

Issue Summary

When trying to play any video attachment on issues by clicking on them using Google Chrome or Safari, the video doesn't start playing and returns http status code 302.

Steps to Reproduce

1. We have installed a fresh Jira Software Instance on version 8.16 (Affected Version) and also we installed a fresh Jira Software instances on versions 8.15.1, 8.15.0, 8.14.1, 8.14.0 and 8.13.4 only for troubleshooting purpose.
2. Created an Project new project.
3. Created an Issue (Bug and Task) at the project created on step before.
4. Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.

Expected Results

It was expected that the video would start to play on both web browsers.

Actual Results

The video doesn't start to play only on version 8.16 (Affected Version) and since the request doesn't contain JSESSIONID cookies (in case of Google Chrome), it will be redirected to login page with 302 http status code:

Request URL: http://localhost:48160/j8160/secure/attachment/10001/Test.mp4Request
Method: GETStatus Code: 302
Remote Address: [::1]:48160
Referrer Policy: strict-origin-when-cross-origin

• In a nutshell there will be redirection loop

Note

The problem is a functional regression that happened in Safari/Chrome after introducing Content-Security-Policy header. This is was done as part of the improvement of Jira attachment content security.

Details:
After setting Content-Security-Policy header to sandbox value, Google Chrome treat it as "unique origin", see Content Security Policy

This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.

And related docs CSP: sandbox

allow-same-origin
Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

so this prevents a browser from sending the required cookies to Jira.

Workaround

In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.