Confluence page does not display in an iframe in Confluence Data Center

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

The content on this page includes steps to customize or extend Atlassian software (adding/changing CSS rules, HTML, JavaScript, etc.). Per the Atlassian Support Offerings, support does not include customizations made to Atlassian products. Be aware that this material is provided for your information only and using it is done so at your risk.

If you have any questions about this or any customization, please ask the community at Atlassian Answers or consider working with an Atlassian Solution Partner.

Please note that Atlassian does not recommend making this change as it would make Confluence vulnerable to clickjacking. Remove this protection ONLY if you are willing to accept the security implications of doing so. You can use the example tools such as https://www.lookout.net/test/clickjack.html for the setting verification.

Summary

When embedding a Confluence page in an <iframe /> on a different site the content doesn't display/show.

Environment

Confluence 5.8.15 or higher

Diagnosis

When reviewing the loading of the page with your Browser's Developer Tools, the following message can be found: 

Refused to display 'http://confluence.mycompany.com/display/SPC/My+Page' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Cause

Starting in Confluence 5.8.15, the headers below have been included to stop clickjacking:

Content-Security-Policy:frame-ancestors 'self'
X-Frame-Options:SAMEORIGIN

You can read the original bug report here:  CONF-29230 - Getting issue details... STATUS

Workaround 1)

Disable clickjacking protection from Confluence:

  1. Shut down Confluence

  2. Please set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to disable security headers –  See Configuring System Properties  for more on setting System Properties.

    1. To disable ' X-Frame-Options ', please set the below JVM parameter

      -Dconfluence.clickjacking.protection.disable=true

    2. To disable ' Content-Security-Policy ', please set the below JVM parameter

      -Dhttp.header.security.content.security.policy.disabled=true
  3. Restart Confluence (all nodes if you are using multi-node DataCenter cluster)

The Page will now appear in the iframe.


Workaround 2)

To allow the JSM Customer portal to display Confluence articles in an iFrame, you can follow the steps below:

  1. Shut down Confluence

  2. Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change  <JIRA_BASE_URL> with yours before applying configuration.) –  See Configuring System Properties  for more on setting System Properties.

    1. If Jira is not running as a service and the JVM parameters are configured in the  setenv.sh  or the  setenv.bat  file, please add the row below and update the <JIRA_BASE_URL> with context path. 

      CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA_BASE_URL>\" ${CATALINA_OPTS}"

    2. If the Jira application is configured as a Windows Service, please add the Java option below in a new line (without the double quotes):

      -Dhttp.header.security.content.security.policy.value=frame-ancestors 'self' <JIRA_BASE_URL>
  3. Restart Confluence (all nodes if you are using multi-node DataCenter cluster)

Workaround 3)

Some security functionalities are enabled by default on Confluence 8.1.1 and later versions. Using the steps on this page will cause the application to fail. Make sure you're following the appropriate steps for your Confluence version.

Further information can be found: How to enable and configure HTTP Strict Transport Security (HSTS) response header on Confluence

If the Workaround 1) does not work then there is a possibility that in CONFLUENCE_HOME/conf/web.xml  you have enabled HTTP Header Security Filter  in Tomcat. 

  1. Shut down Confluence
  2. Open CONFLUENCE_HOME/conf/web.xml and find antiClickJackingOption
  3. Uncomment the parameter and change the value from DENY to SAMEORIGIN
  4. Restart Confluence

Please see Apache Tomcat 8 Configuration ReferenceHTTP Header Security Filter for more information on the parameters



Last modified on Sep 2, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.