Knowledge base preview is failing on the customer portal with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console
プラットフォームについて: Data Center のみ - この記事は、Data Center プラットフォームのアトラシアン製品にのみ適用されます。
この KB は Data Center バージョンの製品用に作成されています。Data Center 固有ではない機能の Data Center KB は、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
When attempting to preview a Knowledge Base article from the JSM (Jira Service Management) Customer portal, customers receive an error message in the iframe popup "<confluence site URL> refused to connect":
The below error is found in the browser console:
"Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." in the browser's console and the contents are not displayed as expected.
環境
Jira Service Management Server/Data Center (any version), integrated with Confluence Server/Data Center (any version from 8.5.7 )
診断
- Record a HAR file while replicating the Knowledge Base display issue in the Service Desk portal
- Open the HAR file, and look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
- Check the browser console output for the "Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'" error.
- Check the value for content-security-policy in the response headers to validate it is frame-ancestors 'self'
原因
This issue is caused by a change introduced in Confluence 8.5.7. This change included the addition of the following response header, which is meant to add clickjacking protection to Confluence by default:
Content-Security-Policy: frame-ancestors 'self'
The downside of adding such security header is that the browser will refuse to show the content of the KB article in the iFrame on the customer portal.
There is a Confluence bug related to the topic being track here - - CONFSERVER-95123Getting issue details... STATUS
ソリューション
We can use the http.header.security.content.security.policy.value value to allow specific domains to open Confluence pages in an iFrame. By default, this value is set frame-ancestors ‘self':
Content-Security-Policy:frame-ancestors 'self'
This policy prevents the page from being embedded in iFrames on any other domains than Confluence. It's a security measure to mitigate risks associated with clickjacking attacks and unauthorized framing of your content on other websites.
To allow the JSM Customer portal to display Confluence articles in an iFrame, you can follow the steps below:
- Confluence をシャットダウンします。
Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change <JIRA hostname> with yours before applying configuration.) – See Configuring System Properties for more on setting System Properties.
CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA hostname>\" ${CATALINA_OPTS}"
- Start Confluence (all nodes if you are using multi-node DataCenter cluster)
- Verify articles can now be displayed from the customer portal: