Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.

Skip to end of metadata
Go to start of metadata

What is the 'Whitelist'?

For security reasons, you as an administrator may wish to limit the URLs from which users can source content that is displayed on your JIRA site (e.g. in an External Gadget). The JIRA 'Whitelist' is a list of URLs whose content you wish to make available to users of your JIRA site.

You can add URLs (or URL patterns) to your whitelist as described below. Alternatively, if your JIRA site and users do not have access to the internet, you can choose to 'Allow all URLs' (see below).

Note that URLs for which Application Links are configured are automatically whitelisted, so you do not need to add them to this list.

(warning) The information on this page does not apply to JIRA OnDemand.

Editing the Whitelist

You can list specific URLs (or URL patterns) from which content will be allowed onto your JIRA site.

Select 'Restrict to whitelisted URL patterns' and use the form below to list specific URLs or URL patterns that will be allowed. If you select 'Allow all URLs', content can be included from any URL, including possibly malicious content.

  1. Log in as a user with the 'JIRA System Administrators' global permission.
  2. Select 'Administration' > 'System' > 'Security' > 'Whitelist' (tab) to open the 'Whitelist' page, which shows a list of URLs (or URL patterns).
    (tick) Keyboard shortcut: 'g' + 'g' + type 'wh'
  3. On the 'Whitelist' page, you can either:
    • Select 'Restrict to whitelisted URL patterns' and use the form below to list specific URLs or URL patterns that will be allowed.
      • Enter URL patterns to describe valid content sources. Enter one pattern per line according to the following format:
        • if the pattern starts with '=', only the exact URL following the '=' will be allowed
        • if the pattern starts with '/' then the whole pattern will be treated as a regular expression
        • otherwise, * characters in the pattern will be treated as wildcards to match 1 or more characters
      • For example, if you want to allow all requests to

        http://www.atlassian.com

        , enter the following rule:

        • http://www.atlassian.com/*
    • Select 'Allow all URLs'. This will allow content to be included from any URL, including potentially malicious content.