Iframing KB articles and Safari with "Prevent cross-site Tracking"

Hi,

Our solution (Refined for Jira Cloud), has a feature, where we show Knowledge Base articles to authenticated users using iframes. This has worked fine, until Safari started blocking 3rd party cookies by default (the setting “Prevent cross-site Tracking”). Now the users using Safari get the error “The action performed requires a logged in user. Please log in and try again.”

Any suggestions for solving this?

The only solution I can think of, would be a new API, that provides the content of KB article, so that we can render it ourselves.

While this problem currently affects only Safari, FireFox and Chrome are expected to follow in a year or two.

For background, we fetch the KB article iframable url using servicedesk api (/rest/servicedeskapi/knowledgebase/article?query=article)

Hi @ErkkiLepre,

Do you fetch the Knowledge Base article from your app’s iframe using AP.request('/rest/servicedeskapi/knowledgebase/article?query=article', ...) (https://developer.atlassian.com/cloud/jira/service-desk/jsapi/request/)?

I’m just trying to clarify which operation Safari is blocking. I think Safari has blocked cookies in iframes for quite some time now which is why we provide a Cookie JavaScript API.

Regards,
Dugald

Hi @dmorrow

Thanks for the prompt response.

No, we get the iframe url using addon.httpClient in the backend.

Our solution is basically an external website, that fetches Jira/Confluence content using Atlassian API’s, and renders it. Displaying KB articles is an exception to this, as - and please correct me if I’m wrong - there’s no API for fetching the article content. That’s why we simply iframe it. But note, that the iframing happens from a non-atlassian domain.

If the “Prevent cross-site Tracking” feature is disabled in Safari, everything works fine, but when it’s enabled, Safari will not send the Atlassian session cookie, so the content will not be available (because it requires authentication).

Here on the left you can see how it looks like, with the setting enabled, and on the right with the setting disabled:

Note the difference in the Request Cookies.

(The URL I’m iframing in this example is https://xxx.atlassian.net/rest/servicedeskapi/knowledgebase/article/view/416972801)

Hi @ErkkiLepre,

When you say “the URL I’m iframing in this example is https://xxxx.atlassian.net/rest/servicedeskapi/knowledgebase/article/view/416972801”, do you mean the iframe URL is https://xxxx.atlassian.net/jira/servicedesk/projects/SDT/knowledge/articles/416972801 which is in turn sending a request to https://xxxx.atlassian.net/rest/servicedeskapi/knowledgebase/article/view/416972801?

Have you tried setting the allow-same-origin sandbox option for the iframe? e.g. <iframe sandbox="allow-same-origin"...

Regards,
Dugald

No, the iframe url is https://xxxx.atlassian.net/rest/servicedeskapi/knowledgebase/article/view/416972801

This is the url given as an answer to the query https://xxx.atlassian.net/rest/servicedeskapi/knowledgebase/article?query=Article

Hi @ErkkiLepre,

As a heads up, the Service Desk team have been looking into this.

Regards,
Dugald

1 Like

Hi again. Any update on this?

Hi @ErkkiLepre,

The Service Desk team are still looking into this, but I’m not exactly sure what course of action they are taking. I’ll check if it is possible for them to provide more details.

Regards,
Dugald

Hi @ErkkiLepre,

At the moment in order to Prevent cross-site Tracking, webkit strips the third-party cookies away before sending requests to Atlassian’s public APIs as you already noticed (the third-party cookies here are the ones created after a user is authenticated by Jira).

There are a few limitations specifically to KB articles because all the subsequent requests required to load a KB article also relies on the cookies mentioned in this thread.
This demands changes in the way the content for KB articles are retrieved in terms of authentication, so there’s no workaround available at the moment.

I’ve created a public ticket to address this issue and to help all vendors and users to track the next steps to solve this: https://jira.atlassian.com/browse/JSDCLOUD-9287

Regards,
Adolfo Eloy

2 Likes

Thanks for the help @AdolfoEloy and @dmorrow.

Cheers,

-Erkki

2 Likes