Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72275

Video attachments stopped playing on issues in Chrome/Safari browsers

XMLWordPrintable

    • 8.16
    • 22
    • Severity 3 - Minor
    • 62
    • Hide
      Atlassian Update – 27 May 2021

      Hello,

      this issue has been fixed and will be included in the next release.
      To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers.

      Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses property.

      Regards,
      Jira Server and Data Center Team

      Show
      Atlassian Update – 27 May 2021 Hello, this issue has been fixed and will be included in the next release. To solve this problem, we will now send different CSP sandbox headers depending on the browser you use. This will be configurable so you can add or modify the clauses sent to supported browsers. Jira system admins will be able to decide which clauses are sent to which browsers, and what they contain, by modifying the jira.security.csp.sandbox.browser.differentiated.clauses  property. Regards, Jira Server and Data Center Team

      Issue Summary

      When trying to play any video attachment on issues by clicking on them using Google Chrome or Safari, the video doesn't start playing and returns http status code 302.

      Steps to Reproduce

      1. We have installed a fresh Jira Software Instance on version 8.16 (Affected Version) and also we installed a fresh Jira Software instances on versions 8.15.1, 8.15.0, 8.14.1, 8.14.0 and 8.13.4 only for troubleshooting purpose.
      2. Created an Project new project.
      3. Created an Issue (Bug and Task) at the project created on step before.
      4. Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.

      Expected Results

      It was expected that the video would start to play on both web browsers.

      Actual Results

      The video doesn't start to play only on version 8.16 (Affected Version) and since the request doesn't contain JSESSIONID cookies (in case of Google Chrome), it will be redirected to login page with 302 http status code:

      Request URL: http://localhost:48160/j8160/secure/attachment/10001/Test.mp4Request
Method: GETStatus Code: 302
Remote Address: [::1]:48160
Referrer Policy: strict-origin-when-cross-origin
      • In a nutshell there will be redirection loop

      Note

      The problem is a functional regression that happened in Safari/Chrome after introducing Content-Security-Policy header. This is was done as part of the improvement of Jira attachment content security.

      Details:
      After setting Content-Security-Policy header to sandbox value, Google Chrome treat it as "unique origin", see Content Security Policy

      This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.

      And related docs CSP: sandbox

      allow-same-origin
      Allows the content to be treated as being from its normal origin. If this keyword is not used, the embedded content is treated as being from a unique origin.

      so this prevents a browser from sending the required cookies to Jira.

      Workaround

      In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.

        1. Test.mp4
          2.97 MB

              15609d8ba305 Filip Nowak
              7ce9530e8bba Manoel da Silva
              Votes:
              22 Vote for this issue
              Watchers:
              49 Start watching this issue

                Created:
                Updated:
                Resolved: