- 
    Bug 
- 
    Resolution: Unresolved
- 
    Low 
- 
    None
- 
    4.20.1, 5.12.10
- 
        8.16
- 
        8
- 
        Severity 3 - Minor
- 
        
Issue Summary
When trying to play any video attachment on issues using the JSM Customer Portal by clicking on them using Google Chrome or Safari, the video doesn't start playing and we can see some blocked scripts on the browser console.
Steps to Reproduce
- We have installed a fresh JSM on version 4.20 (Affected Version)
- Created a new project.
- Created an Issue (Get IT Help) at the project created on step before.
- Attached a .mp4 video to that issue and tried to play it on Chrome and Safari.
Expected Results
It was expected that the video would start to play on both web browsers.
Actual Results
The video doesn't start to play, and we can see on the browser console the following message:
Blocked script execution in 'https://<base_url>/servicedesk/customershim/secure/attachment/10100/10100_E4614E76-FBB1-42B6-9C72-10220B13E345.MP4?fromIssue=1011201' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. VM56 injected.js:1 Blocked script execution in 'https://<base-url>/servicedesk/customershim/secure/attachment/10100/10100_E4614E76-FBB1-42B6-9C72-10220B13E345.MP4?fromIssue=1011201' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. (anonymous) @ VM56 injected.js:1 v @ VM56 injected.js:1 injectable @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 g @ VM56 injected.js:1 m @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 await in (anonymous) (async) (anonymous) @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 n @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 n @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 (anonymous) @ VM56 injected.js:1 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://<base-url>/servicedesk/customer/user/login?absolute=true&destination=%2Fservicedesk%2Fcustomershim%2Fsecure%2Fattachment%2F10100%2F10100_E4614E76-FBB1-42B6-9C72-10220B13E345.MP4%3FfromIssue%3D1011201 with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details. 10100_E4614E76-FBB1-42B6-9C72-10220B13E345.MP4:1 Blocked script execution in 'https://<base-url>/servicedesk/customershim/secure/attachment/10100/10100_E4614E76-FBB1-42B6-9C72-10220B13E345.MP4?fromIssue=1011201' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
This issue was fixed by this JRASERVER-72275 bug, however, it doesn't apply to the JSM customer portal
Workaround
In order to enable Chrome and Safari to properly playback attachments (like videos or sounds) added to issues admin can disable a feature flag by adding a Site Wide Dark Feature called jira.security.csp.sandbox.disabled. This will disable setting header Content-Security-Policy to sandbox for attachments and other assets.
- is cloned from
- 
                    JRASERVER-72275 Video attachments stopped playing on issues in Chrome/Safari browsers -         
- Closed
 
-         
- links to
