Content-Security-Policy Header

Hey Folks,

Because we try to integrate JIRA via an iFrame in a Confluence-Page.

This is currently (Confluence 6.3.4) not possible, because Confluence sends the following Header:

content-security-policy: frame-ancestors 'self'

I am aware, that Atlassian recommends turning Clickjacking off (https://confluence.atlassian.com/confkb/confluence-page-does-not-display-in-an-iframe-827335781.html), so that this header won’t be send, however we want security.
To get this working, confluence would have to send the following Header:

content-security-policy: frame-ancestors 'self' https://JIRA.xyz.com

I tried using a servlet-filter and overwriting the xwork-interceptor without success:

    <servlet-filter name="Security Servlet Filter" i18n-name-key="csp-filter.name"
                    key="csp-filter"
                    class="at.example.confluence.servlet.CSPServletFilter"
                    location="before-dispatch" weight="10000">
        <description>Content-Security-Policy Headers for ViewPage</description>
        <url-pattern>/pages/viewpage*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </servlet-filter>

    <xwork name="Security Interceptor" key="csp-security-interceptor">
        <package name="default" extends="default">
            <interceptor name="securityHeaders" class="at.example.confluence.servlet.CSPInterceptor"/>
        </package>
    </xwork>

The Servlet-Filter logs, that its changing the response, however the final header does not change.
The XWork-Interceptor is not invoked - I guess, it is not possible to overwrite an interceptor this way?

Does anybody have any idea how to overwrite the default-interceptor or how to inject this header into the response?

THANKS ALOT!

Hi Matthias,

Embedding Jira pages in iFrames is not allowed by default since Jira 7.6

This documentation explains how to grant Jira paths.

Hope this helps,
Pablo

Hey @pablo, thanks for your reply, I include a private servlet from jira, on which I was able to use the servlet-filter on jira-side as expected. the confluence-servlet-filter did not work as expected.

But, it turned out, that to change these headers in confluence one has to change the order of commands in the doFilter-method:

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        final HttpServletResponse httpResponse = (HttpServletResponse)response;
        chain.doFilter(request, httpResponse);
        httpResponse.setHeader("Content-Security-Policy", this.contentSecurityPolicy);
    }

Wouldn’t the easiest way be to put a proxy server in front of Confluence which adjusts the header?