Knowledge base preview is failing on the customer portal with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
The Preview for the Knowledge Base articles fails in the Customer Portal with 2 different errors
"Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
"Refuse to display <KB_Link> is a frame because it set chromewebdata/:1 'X-Frame-Options' to 'sameorigin'"
Issue 1
When attempting to preview a Knowledge Base article from the JSM (Jira Service Management) Customer portal, customers receive an error message in the iframe popup "<confluence site URL> refused to connect":
The below error is found in the browser console:
"Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." in the browser's console and the contents are not displayed as expected.
Issue 2
- We might also see an error in the HAR file related to the X-Frame-Options
環境
Jira Service Management Server/Data Center (any version), integrated with Confluence Server/Data Center (any version from 8.5.7 )
診断
For Issue 1:
- Record a HAR file while replicating the Knowledge Base display issue in the Service Desk portal
- Open the HAR file, and look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
- Check the browser console output for the "Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'" error.
- Check the value for content-security-policy in the response headers to validate it is frame-ancestors 'self'
For Issue 2
- Create a Page in Confluence
In another site use this HTML to embed the Page in an
iframe.
HTML PAGE<iframe src="http://confluence.mycompany.com/display/SPC/My+Page"></iframe>- Review the console in the browser with Developer Tools (Ctrl+Shift+i)
原因
This issue is caused by a change introduced in Confluence 8.5.7. This change included the addition of the following response header, which is meant to add clickjacking protection to Confluence by default:
Content-Security-Policy: frame-ancestors 'self'The downside of adding such security header is that the browser will refuse to show the content of the KB article in the iFrame on the customer portal.
There is a Confluence bug related to the topic being track here - CONFSERVER-95123 - Getting issue details... STATUS
Since Confluence 5.8.15 the headers below have been included to stop clickjacking. You can read the original bug report here: CONFSERVER-29230 - UI Redressing (Clickjacking) CLOSED
Content-Security-Policy:frame-ancestors 'self'
X-Frame-Options:SAMEORIGINA fix for this problem is available if you’re using Confluence 8.5.9, 8.9.1 or later.
If you’re using any other versions of Confluence, use the solution below to workaround the problem.
If you have used this workaround and you’ve upgraded to Confluence 8.5.9, 8.9.1 or later, you can remove this workaround from your system.
ソリューション
For Issue 1
We can use the http.header.security.content.security.policy.value value to allow specific domains to open Confluence pages in an iFrame. By default, this value is set frame-ancestors ‘self':
Content-Security-Policy:frame-ancestors 'self'This policy prevents the page from being embedded in iFrames on any other domains than Confluence. It's a security measure to mitigate risks associated with clickjacking attacks and unauthorized framing of your content on other websites.
To allow the JSM Customer portal to display Confluence articles in an iFrame, you can follow the steps below:
- Confluence をシャットダウンします。
Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change <JIRA hostname> with yours before applying configuration.) – See Configuring System Properties for more on setting System Properties.
If Jira is not running as a service and the JVM parameters are configured in the setenv.sh or the setenv.bat file, please add the row below:
CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA hostname>\" ${CATALINA_OPTS}"
Be sure to replace "<JIRA hostname>" with the hostname of your Jira environment.If the Jira application is configured as a Windows Service, please add the Java option below in a new line (without the double quotes):
-Dhttp.header.security.content.security.policy.value=frame-ancestors 'self' <JIRA hostname> Be sure to replace "<JIRA hostname>" with the hostname of your Jira environment.
- Start Confluence (all nodes if you are using multi-node DataCenter cluster)
- Verify articles can now be displayed from the customer portal:
For Issue 2
Disable clickjacking protection from Confluence
Confluence をシャットダウンします。
Please set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to disable security headers. See Configuring System Properties for more on setting System Properties.
To disable 'X-Frame-Options', please set the below JVM parameter
-Dconfluence.clickjacking.protection.disable=trueTo disable 'Content-Security-Policy', please set the below JVM parameter
-Dhttp.header.security.content.security.policy.disabled=true
- Restart Confluence (all nodes if you are using multi-node DataCenter cluster)
The Page will now appear in the iframe.