Confluence page does not display in an iframe
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
本ページの内容には、Atlassian ソフトウェアのカスタマイズや拡張 (CSS ルール、HTML、JavaScript の追加/変更など) を行う手順が含まれています。アトラシアン サポートの提供 の通り、Atlassia 製品に加えられたカスタマイズはサポートされません。この資料は情報提供のみを目的として提供されています。内容はお客様自身の責任でご利用ください。
本件またはカスタマイズに関するご質問は、コミュニティの Atlassian Answers で質問してください。または、アトラシアン ソリューション パートナー にご相談いただくことをご検討ください。
Please note that Atlassian does not recommend making this change as it would make Confluence vulnerable to clickjacking. Remove this protection ONLY if you are willing to accept the security implications of doing so. You can use the example tools such as https://www.lookout.net/test/clickjack.html for the setting verification.
問題
When embedding a Confluence page in an <iframe />
on a different site the content doesn't display.
The following appears in the browser console
Refused to display 'http://confluence.mycompany.com/display/SPC/My+Page' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
環境
- Confluence 5.8.15 or higher
Diagnostic Steps
- Create a Page in Confluence
In another site use this HTML to embed the Page in an
iframe
.HTML page<iframe src="http://confluence.mycompany.com/display/SPC/My+Page"></iframe>
- Review the console in the browser with Developer Tools (Ctrl+Shift+i)
原因
Since Confluence 5.8.15 the headers below have been included to stop clickjacking. You can read the original bug report here: - CONF-29230Getting issue details... STATUS
Content-Security-Policy:frame-ancestors 'self'
X-Frame-Options:SAMEORIGIN
ソリューション 1
Disable clickjacking protection from Confluence
Confluence をシャットダウンします。
Please set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to disable security headers. See Configuring System Properties for more on setting System Properties.
To disable 'X-Frame-Options', please set the below JVM parameter
-Dconfluence.clickjacking.protection.disable=true
To disable 'Content-Security-Policy', please set the below JVM parameter
-Dhttp.header.security.content.security.policy.disabled=true
- Restart Confluence (all nodes if you are using multi-node DataCenter cluster)
The Page will now appear in the iframe
.
ソリューション 2
Some security functionalities are enabled by default on Confluence 8.1.1 and later versions
Using the steps on this page will cause the application to fail. Make sure you're following the appropriate steps for your Confluence version. Further information can be found: How to enable and configure HTTP Strict Transport Security (HSTS) response header on Confluence
If the resolution 1 does not work then there is a possibility that in CONFLUENCE_INSTALL/conf/web.xml you have enabled HTTP Header Security Filter in Tomcat.
- Confluence をシャットダウンします。
- Open CONFLUENCE_INSTALL/conf/web.xml and find antiClickJackingOption
- Uncomment the parameter and change the value from DENY to SAMEORIGIN
- Confluence を再起動します。
Please see Apache Tomcat 8 Configuration Reference: HTTP Header Security Filter for more information on the parameters