-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 9.12.14, 10.3.2
-
9.12
-
1
-
Severity 3 - Minor
Issue Summary
The jira.security.csp.sandbox.included.content.disposition application property accepts:
- Empty value
- "attachment"
- "inline"
- "attachment;inline" or "inline;attachment"
If Jira is installed using an Oracle database, the empty value is never set.
This happens because Oracle treats empty strings as NULL. When Jira receives a NULL value for this property, it interprets it as "not set", so it set the default value - "attachment"
This behavior can potentially affect other application properties - we've validated that jira.clone.prefix is also affected.
Steps to Reproduce
- Install Jira using an Oracle DB
- Navigate to ⚙ > System > General configuration > Advanced settings
- Set jira.security.csp.sandbox.included.content.disposition to an empty value
Expected Results
The empty configuration is applied
Actual Results
The configuration remains as "attachment", even though the application property is altered, which can be validated using the query:
SELECT * FROM propertystring WHERE id=(select id from propertyentry where property_key='jira.security.csp.sandbox.included.content.disposition');
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
If the Content-Security-Policy is causing problems, you can turn it off by setting jira.security.csp.sandbox.disabled in the Dark Feature page.
More about security headers in Security headers in Jira
For the clone prefix, it needs to be set to something. If you'd like no prefix, then you can configure an automation to remove it.
- mentioned in
-
Page Loading...