How to defend against CSRF when your Jira gadget is used in Confluence?

Hi,

We have a Jira Plugin, which has CSRF protection. We are accessing this Jira Plugin’s gadget inside confluence by adding it as an external gadget. When this external gadget sends a request to Jira, confluence adds ‘X-Atlassian-Token’: ‘no-check’ request header to the request. This led to bypassing our CSRF protection in our backend. Even if we managed to remove this header from the request, we could not attach atlassian.xsrf.token from jira, to our request which is required for our CSRF check.

When we try the same case in Jira, by adding ‘X-Atlassian-Token’: ‘no-check’ to requests and sending our custom request header without atlassian.xsrf.token or with the wrong value, CSRF protection works, and our backend returns 401 as expected. We expect the requests sent by our external gadget in confluence to include csrf token, and work the same way with Jira.

Is there any solution for this, or recommendation for a workaround?

Thanks,

1 Like

Hi Ali,

The fact that the header ‘X-Atlassian-Token’: ‘no-check’ allows a cross site request through is correct and by design.

The way the cross site protections in Jira work is that if a cross site request arrives, the request must either have this header set or the xsrf token must match the one in the users cookie.

The reason this is still an effective protection is that the type of cross site requests you are protecting against cannot set this header in all modern browsers. This is explained in detail here: Cross-Origin Resource Sharing (CORS) - HTTP | MDN

So as long as your app correctly blocks requests that dont have the header and also don’t have the token - it should be ok. Unless I have misunderstood something about your situation.

Hi @richard.white ,

Thanks for your answer. I realized I am sending the header in the request from Jira, with the deprecated value ‘nocheck’. When I changed it to no-check, it started to work the same way with confluence.

Although I checked out the mdn document you sent, It is still unclear to me, how Jira/Confluence differentiates requests that come from different domains or sites with the header ‘X-Atlassian-Token’: ‘no-check’ and does CSRF validation for them. Are they checking JSESSIONID or any other request header like User-Agent, Origin, etc?

Also, as part of my question in the first post, Will the requests sent from Jira external gadgets inside the confluence to the Jira Plugin, always include ‘X-Atlassian-Token’: ‘no-check’, or it depends on the confluence settings?