Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-19912

Implement Configuration Option for CSP Header

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • None
    • None
    • None
    • 18
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Definition

      Currently, there's no way to modify the content-security-policy header besides:

      However, there is no way to provide a different configuration for that header. For example a user may prefer to have:

      frame-ancestors 'self' https://trusteddomain.com

      This will allow users to exempt applink URLs for instance from these checks as trusted domains. Useful for embedding gadgets, pages etc from one Atlassian Application to the other.

      Suggestion

      Provide more configuration options for this header. Atleast provide a way to specify trusted domains from where the Jira web page can be framed.

      Workaround

      Use a web-server like Apache, Nginx etc as a reverse proxy and then use the header re-write features of the proxy to add these headers.

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-25143 Enable X-FRAME-Options header to implement clickjacking protection

          • Highest - Our top priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              acardino Anna Cardino (Inactive)
              Votes:
              25 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

                Created:
                Updated: