Knowledge base articles cannot be displayed in the Service Desk customer portal (error: "Refused to display" or "didn't send any data")

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

要約

Knowledge base articles cannot be displayed in the Service Desk customer portal iframe:

Either of the 2 errors below might be displayed in the UI:

  • the error "refused to connect"
  • the error "didn't send any data"


Either of the following error is thrown in the browser console:

  • Error 1:

    Refused to display 'XXXXXXXXXXX/plugins/servlet/remotepageview?pageId=XXXXXX' in a frame because it set 'X-Frame-Options' to 'deny'.
  • Error 2

    Refused to display 'XXXXXXXXXXX/plugins/servlet/remotepageview?pageId=XXXXXX' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
  • Error 3

    XXXXXXXXXXXX didn't send any data

環境

  • Jira Service Management Server/Data Center (any version) with Confluence Server/Data Center (any version)
  • OR Jira Service Management Server/Data Center (any version from 4.12.0) with Confluence Cloud

原因

Case where Confluence Server (or Data Center) is used as a Knowledge Base

Confluence comes out-of-the-box with the X-Frame-Options header set to sameorigin, as per the KB article Confluence page does not display in an iframe. This header was added in Confluence 5.18.15 to implement the feature request UI Redressing (Clickjacking).

The expected behavior in a fresh vanilla Confluence Server instance without any customization nor reverse proxy/3rd party SSO integration, is described below:

  • When accessing most Confluence URLs, the X-Frame-Options header is set to sameorigin
  • When accessing some specific Confluence URLs such as the ones with the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXX, the X-Frame-Options header is not set. The reason why URLs with the pattern /plugins/servlet/remotepageview?pageId= do not have the X-Frame-Options header set is to allow external applications such as Service Desk to display Confluence KB article in an iFrame.


The X-Frame-Options header can be customized and overwritten in various ways:

  • Via a reverse proxy, if Confluence is configured behind one
  • By adding a security filter in either of the 2 web.xml files in located in the Confluence installation folder, at these 2 locations:
    • <confluence-installation-folder>/conf/web.xml
    • <confluence-installation-folder>/confluence/WEB-INF/web.xml

If this header is set to either sameorigin or deny by a proxy server or a security filter regardless of the type of Confluence URL, then it will become impossible to display any Confluence KB article in the Service Desk portal, since this header will prevent the content of this URL from being displayed in an iFrame.

There are 3 common reasons why Confluence KB articles can't be displayed in the Customer Portal when using Confluence Server/Data Center:

Root cause 1

Confluence is running behind a reverse proxy which adds an X-Frame-Options header with the DENY or SAMEORIGIN value

Root cause 2

Confluence is running behind a reverse proxy/IdP provider (such as Microsoft Azure) which comes with an SSO integration and automatically redirect Confluence to the IdP login page and adds an X-Frame-Options header with the DENY or SAMEORIGIN value

Root cause 3

One of the 2 web.xml file from the Confluence application is configured with a security filter, which adds an X-Frame-Options header with the DENY or SAMEORIGIN value. This might be the case if the solution from the KB article How to enable and configure HTTP Strict Transport Security (HSTS) response header on Confluence has been implemented in the Confluence application.

Case where Confluence Cloud is used as a Knowledge Base

Root Cause 4

Since Jira Service Management 4.12.0, it is now possible to configure projects with a Knowledge Base space coming from Confluence Cloud, as explained in Set up a knowledge base with Confluence Cloud.

If the Confluence application (and/or the Confluence space used for the KB integration) is not configured with Anonymous Access, then customers will be required to log into Confluence to view any KB article.

If the customer is not logged into Confluence, instead of displaying the KB article or the log in screen in an iFrame from the Customer Portal, the following will happen:

  • in Chrome:

    • a grey page will show in the iFrame. There is a link available on the page which allows the user to open the page in a new window, so that they can log into Confluence Cloud. However, this link is very small and can be easily missed:

      Open Site in New Window
    • Also, the following error will be displayed in the browser console:

      Refused to display 'https://id.atlassian.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
  • in Firefox, the following message will appear in the iFrame:

    Firefox can't open this page.
    Open Site in New Window
  • in Safari: The issue is not present, however Safari opens each KB article in a new tab instead of the iframe


When integrating Service Desk Server with a Confluence Cloud Space to serve customers with a knowledge base, the customers are required to be logged in to Confluence Cloud for the Integration to work seamlessly. However, since the Confluence Cloud login page sets the header 'X-Frame-Options' to 'sameorigin', the login page will not be displayed and the user will have to click on the "Open site in New window" button to be able to log into Confluence Cloud, and view the KB article.

This behavior is intended by design (due to how the Confluence Cloud login page works), is a suggestion ticket to improve this behavior is tracked in  JSDSERVER-7175 - Getting issue details... STATUS .

診断

  • Record a HAR file while replicating the KB display issue in the Service Desk portal
  • Open the HAR file, and look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
  • Check if the X-Frame-Options header is set, and what value it is set to. If it is set to either sameorigin or deny, then this KB article is relevant to the issue you are facing:


Now, the question is: what is setting this header?

Verifying Root cause 1 (Reverse Proxy server)

  • If Confluence is running behind a reverse proxy, try to bypass the reverse proxy by adding an un-proxied connector to the server.xml file of the Confluence application (as per How to bypass a proxy to test network connectivity).
  • After that, run either of the 2 tests listed below
  • Test 1
    • Log into your Confluence instance in a browser by using the URL http://<CONFLUENCE_IP_ADDRESS>:<UN_PROXIED_PORT>
    • In the same browser, try to open the problematic Confluence URL http://<CONFLUENCE_IP_ADDRESS>:<UN_PROXIED_PORT>/plugins/servlet/remotepageview?pageId=XXXXXX which had the X-Frame-Options header set to sameorigin or deny
    • If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the reverse proxy server
  • Test 2 (in case you can't access Confluence in a browser using its IP address):
    • SSH into the Linux server where the Confluence application is running (assuming that Confluence is running on Linux)
    • Run the following CURL command:

      curl -v "http://localhost:<UN_PROXIED_PORT>/plugins/servlet/remotepageview?pageId=XXXXXX"
    • Check the response
    • If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the reverse proxy server

Verifying Root cause 2 (Reverse Proxy server + SSO login redirection)

  • Collect a HAR file while replicating the issue
  • If you see in the HAR file that there is a redirection to an IdP provider URL such as login.microsoftonline.com (from Microsoft in this example) and that this redirection adds the HTTP header X-Frame-Options: DENY (as shown in the screenshot below), then the Root Cause 2 is relevant:

  • The header added by the SSO provider blocks the browser from loading the content in an iframe. In the case of Microsoft, it is a security feature of Microsoft login service to assist prevent phishing style attacks

Verifying Root cause 3 (security filter in one of the two web.xml file)

  • Open the 2 following files in a text editor
    • <confluence-installation-folder>/conf/web.xml
    • <confluence-installation-folder>/confluence/WEB-INF/web.xml
  • Look for the XML tag <filter-name>httpHeaderSecurity</filter-name>
  • Check if this tag is configured similarly to any of the examples listed below:
    • Example 1 (antiClickJackingOption set to DENY)

      <filter>
       <filter-name>httpHeaderSecurity</filter-name>
       <filter-class&amp;amp;gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&amp;amp;gt;
       <async-supported>true</async-supported>
       <init-param>
       <param-name>antiClickJackingEnabled</param-name>
       <param-value>true</param-value>
       </init-param>
       <init-param>
       <param-name>antiClickJackingOption</param-name>
       <param-value>DENY</param-value>
       </init-param>
       </filter>
      
        <filter-mapping>
              <filter-name>httpHeaderSecurity</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
    • Example 2 (antiClickJackingOption set to SAMEORIGIN)

      <filter>
       <filter-name>httpHeaderSecurity</filter-name>
       <filter-class&amp;amp;gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&amp;amp;gt;
       <async-supported>true</async-supported>
       <init-param>
       <param-name>antiClickJackingEnabled</param-name>
       <param-value>true</param-value>
       </init-param>
       <init-param>
       <param-name>antiClickJackingOption</param-name>
       <param-value>SAMEORIGIN</param-value>
       </init-param>
       </filter>
      
        <filter-mapping>
              <filter-name>httpHeaderSecurity</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
    • Example 3 (antiClickJackingOption not set to any value => by default, the DENY value will be used)

      <filter>
              <filter-name>httpHeaderSecurity</filter-name>
              <filter-class&amp;gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&amp;gt;
              <async-supported>true</async-supported>
      </filter>
      
        <filter-mapping>
              <filter-name>httpHeaderSecurity</filter-name>
              <url-pattern>/*</url-pattern>
              <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
  • If you see any variation of the examples listed above, follow the steps below:

    • Remove the filter completely from any of the 2 web.xml files
    • Re-start the Confluence application
    • Log into Confluence
    • In the same browser, try to open the problematic Confluence URL /plugins/servlet/remotepageview?pageId=XXXXXX which had the X-Frame-Options header set to sameorigin or deny
    • If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the security filter configured in 1 or both of the 2 web.xml files

Verifying Root cause 4 (integration with Confluence Cloud)

If the 3 following conditions are verified, then this root cause is relevant:

  • the knowledge base space is coming from Confluence Cloud (instead of Server/Data Center)
  • the Confluence Cloud application (and/or the Confluence space) is not configured with Anonymous access
  • if the user who is trying to view the KB article has not logged into Confluence Cloud yet

ソリューション

Solution for Root cause 1 (reverse proxy server):

Remove any configuration in your reverse proxy server that sets the X-Frame-Options header.

例:

  • If you are using Apache, check if the following configuration is found in the file httpd.conf. If you find such configuration, remove it:

    Header always append X-Frame-Options SAMEORIGIN
    OR
    Header always append X-Frame-Options DENY
  • If you are using Nginx, check it if is configured with the header shown below. If you find such configuration, remove it:

    add_header X-Frame-Options "SAMEORIGIN";
    OR
    add_header X-Frame-Options "DENY";

Solution for Root cause 2 (reverse proxy server + SSO login redirection):

Reach out to your proxy server administrator, or to the support team of the proxy server company for assistance on how to remove or modify the X-Frame-Options header, or alternatively on how to prevent the redirection to the SSO login page when KB articles are opened from an iFrame.

Solution for Root cause 3 (security filter in web.xml):

オプション 1

Remove any security filter configured in either of these 2 files:

  • <confluence-installation-folder>/conf/web.xml
  • <confluence-installation-folder>/confluence/WEB-INF/web.xml

オプション 2

If there is a security filter configured in either of the 2 files listed in Option 1, and removing it is not an option for you, add the following parameter underneath the security filter, in order to allow the Jira application to open the KB article in an iFrame.
(warning) Make sure to replace <jira-base-url> with Jira's Base URL.

<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value><jira-base-url></param-value>
</init-param>

Solution for Root cause 4 (integration with Confluence Cloud):

オプション 1

Firefox: Click on the button displayed in the place of the article and log in to Confluence in another tab. Then you can go back to the Customer Portal and view all the articles you have access to.

Chrome, Firefox and other browsers: Click on the "View article in new window" link that is displayed below where the article should be.

オプション 2

Configure the Confluence Cloud instance with anonymous access, as per Setting Up Public Access.

In addition to this, also configure the Confluence Cloud KB Space with anonymous access:

With such configuration, Service Desk customers will no longer have to be logged into Confluence Cloud to view any KB article, and the KB article will be displayed in the iFrame.


最終更新日: 2023 年 1 月 10 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.