Content-Security-Policy Header

matthias.steinboeck · November 3, 2018, 9:58am

Hey Folks,

Because we try to integrate JIRA via an iFrame in a Confluence-Page.

This is currently (Confluence 6.3.4) not possible, because Confluence sends the following Header:

content-security-policy: frame-ancestors 'self'

I am aware, that Atlassian recommends turning Clickjacking off (Confluence page does not display in an iframe | Confluence | Atlassian Documentation), so that this header won’t be send, however we want security.
To get this working, confluence would have to send the following Header:

content-security-policy: frame-ancestors 'self' https://JIRA.xyz.com

I tried using a servlet-filter and overwriting the xwork-interceptor without success:

    <servlet-filter name="Security Servlet Filter" i18n-name-key="csp-filter.name"
                    key="csp-filter"
                    class="at.example.confluence.servlet.CSPServletFilter"
                    location="before-dispatch" weight="10000">
        <description>Content-Security-Policy Headers for ViewPage</description>
        <url-pattern>/pages/viewpage*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </servlet-filter>

    <xwork name="Security Interceptor" key="csp-security-interceptor">
        <package name="default" extends="default">
            <interceptor name="securityHeaders" class="at.example.confluence.servlet.CSPInterceptor"/>
        </package>
    </xwork>

The Servlet-Filter logs, that its changing the response, however the final header does not change.
The XWork-Interceptor is not invoked - I guess, it is not possible to overwrite an interceptor this way?

Does anybody have any idea how to overwrite the default-interceptor or how to inject this header into the response?

THANKS ALOT!

pablo · November 3, 2018, 10:12pm

Hi Matthias,

Embedding Jira pages in iFrames is not allowed by default since Jira 7.6

This documentation explains how to grant Jira paths.

Hope this helps,
Pablo

matthias.steinboeck · November 4, 2018, 7:43am

Hey @pablo, thanks for your reply, I include a private servlet from jira, on which I was able to use the servlet-filter on jira-side as expected. the confluence-servlet-filter did not work as expected.

But, it turned out, that to change these headers in confluence one has to change the order of commands in the doFilter-method:

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        final HttpServletResponse httpResponse = (HttpServletResponse)response;
        chain.doFilter(request, httpResponse);
        httpResponse.setHeader("Content-Security-Policy", this.contentSecurityPolicy);
    }

remie · November 4, 2018, 1:37pm

Wouldn’t the easiest way be to put a proxy server in front of Confluence which adjusts the header?