Issue Summary

According to Share plan and export data from Advanced Roadmaps, users should be able to embed an Advanced Roadmaps for Jira (ARJ) Plan or Program in an <iframe> tag to be displayed on an external page. However, this feature is broken for users using Chromium 80+ and/or Jira 10.0+.

The two root causes are:

1. Tomcat's session cookie (JSESSIONID) isn't set with the "SameSite=None; Secure" for cross-site access. This is a requirement in modern versions of Chromium and is tracked on JRASERVER-70471: Implement SameSite policy support.
2. Jira 10's endpoint security mechanism (developer announcement) redirects users to the login page.

Steps to Reproduce

1. Install Jira Software 10.0+.
2. Create a new ARJ Plan.
3. Generate a new <iframe> from share > embed.
4. Paste the <iframe> into an external HTML page and open it in a Chromium-based browser.

Expected Results

1. User sees a "Login to view the plan" prompt in the embed.
2. Clicking login opens Jira's login page in a new tab.
3. After logging in, the embed reloads and displays the plan.

Actual Results

The "frowning page" icon is displayed with "Host refused to connect".

If the responsible security mechanism is bypassed (unsafe), the complete Jira login page is displayed. If the user enters valid credentials here, the embed will refresh but display the login page again.

If an alternative security mechanism is bypassed (unsafe), the expected ARJ unauthenticated ("Login to view the plan") page is shown. If the user clicks login, another tab will open where they can successfully log in. Despite that, the embed will continue to show the unauthenticated page.

Workaround

Currently, there is no known safe workaround for this behavior. A workaround will be added here when available.