We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72275

Video attachments stopped playing on issues in Chrome/Safari browsers

    • 8.16
    • 22
    • Severity 3 - Minor
    • 62
    • Hide
      Atlassian Update – 27 May 2021

      Hello,

      this issue has been fixed and will be included in the next release.
      To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers.

      Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses property.

      Regards,
      Jira Server and Data Center Team

      Show
      Atlassian Update – 27 May 2021 Hello, this issue has been fixed and will be included in the next release. To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers. Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses  property. Regards, Jira Server and Data Center Team

      Issue Summary

      When trying to play any video attachment on issues by clicking on them using Google Chrome or Safari, the video doesn't start playing and returns http status code 302.

      Steps to Reproduce

      1. We have installed a fresh Jira Software Instance on version 8.16 (Affected Version) and also we installed a fresh Jira Software instances on versions 8.15.1, 8.15.0, 8.14.1, 8.14.0 and 8.13.4 only for troubleshooting purpose.
      2. Created an Project new project.
      3. Created an Issue (Bug and Task) at the project created on step before.
      4. Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.

      Expected Results

      It was expected that the video would start to play on both web browsers.

      Actual Results

      The video doesn't start to play only on version 8.16 (Affected Version) and since the request doesn't contain JSESSIONID cookies (in case of Google Chrome), it will be redirected to login page with 302 http status code:

      Request URL: http://localhost:48160/j8160/secure/attachment/10001/Test.mp4Request
      Method: GETStatus Code: 302
      Remote Address: [::1]:48160
      Referrer Policy: strict-origin-when-cross-origin
      
      • In a nutshell there will be redirection loop

      Note

      The problem is a functional regression that happened in Safari/Chrome after introducing Content-Security-Policy header. This is was done as part of the improvement of Jira attachment content security.

      Details:
      After setting Content-Security-Policy header to sandbox value, Google Chrome treat it as "unique origin", see Content Security Policy

      This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.

      And related docs CSP: sandbox

      allow-same-origin
      Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

      so this prevents a browser from sending the required cookies to Jira.

      Workaround

      In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.

        1. Test.mp4
          2.97 MB

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Jira Data Center'
            1. Jira Data Center
            2. JRASERVER-72275

            Video attachments stopped playing on issues in Chrome/Safari browsers

              • 8.16
              • 22
              • Severity 3 - Minor
              • 62
              • Hide
                Atlassian Update – 27 May 2021

                Hello,

                this issue has been fixed and will be included in the next release.
                To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers.

                Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses property.

                Regards,
                Jira Server and Data Center Team

                Show
                Atlassian Update – 27 May 2021 Hello, this issue has been fixed and will be included in the next release. To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers. Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses  property. Regards, Jira Server and Data Center Team

                Issue Summary

                When trying to play any video attachment on issues by clicking on them using Google Chrome or Safari, the video doesn't start playing and returns http status code 302.

                Steps to Reproduce

                1. We have installed a fresh Jira Software Instance on version 8.16 (Affected Version) and also we installed a fresh Jira Software instances on versions 8.15.1, 8.15.0, 8.14.1, 8.14.0 and 8.13.4 only for troubleshooting purpose.
                2. Created an Project new project.
                3. Created an Issue (Bug and Task) at the project created on step before.
                4. Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.

                Expected Results

                It was expected that the video would start to play on both web browsers.

                Actual Results

                The video doesn't start to play only on version 8.16 (Affected Version) and since the request doesn't contain JSESSIONID cookies (in case of Google Chrome), it will be redirected to login page with 302 http status code:

                Request URL: http://localhost:48160/j8160/secure/attachment/10001/Test.mp4Request
                Method: GETStatus Code: 302
                Remote Address: [::1]:48160
                Referrer Policy: strict-origin-when-cross-origin
                
                • In a nutshell there will be redirection loop

                Note

                The problem is a functional regression that happened in Safari/Chrome after introducing Content-Security-Policy header. This is was done as part of the improvement of Jira attachment content security.

                Details:
                After setting Content-Security-Policy header to sandbox value, Google Chrome treat it as "unique origin", see Content Security Policy

                This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.

                And related docs CSP: sandbox

                allow-same-origin
                Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

                so this prevents a browser from sending the required cookies to Jira.

                Workaround

                In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.

                  1. Test.mp4
                    2.97 MB

                        15609d8ba305 Filip Nowak
                        7ce9530e8bba Manoel da Silva
                        Votes:
                        22 Vote for this issue
                        Watchers:
                        49 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            15609d8ba305 Filip Nowak
                            7ce9530e8bba Manoel da Silva
                            Affected customers:
                            22 This affects my team
                            Watchers:
                            49 Start watching this issue

                              Created:
                              Updated:
                              Resolved: