Activity stream gadgets for JIRA are not displaying on IE11
Problem
After upgrading to JIRA 7.6.4, IE11 versions do not display the activity stream gadget. It displays the following error message. It happens even without linking to a external application like confluence.
This content cannot be displayed in a iframe. To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.Diagnosis
The issue occurs only with IE11 versions and not with google chrome or mozilla firefox. It can be seen from the HAR files that the X-frame-options are set for IE11 and set to DENY for some of the requests. For chrome and firefox the X-frame-options are not set to DENY. The web.xml file under the JIRA installation directory provides options for filters and filter mappings to set http security headers as below
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>These filters provide the functionality to set clickjacking protection options. In the above case the HttpHeaderSecurityFilter was set without any clickjacking protection options. When you enable the httpheadersecurity in web.xml, it uses the following built in filter definitions
<!-- ================== Built In Filter Definitions ===================== -->
<!-- A filter that sets various security related HTTP Response headers. -->
<!-- This filter supports the following initialization parameters -->
<!-- (default values are in square brackets): --> -->
<!-- -->
<!-- antiClickJackingEnabled -->
<!-- Should the anti click-jacking header -->
<!-- X-Frame-Options be added to every response? -->
<!-- [true] -->
<!-- -->
<!-- antiClickJackingOption -->
<!-- What value should be used for the header. Must -->
<!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
<!-- (case-insensitive). [DENY] -->
<!-- So by default, the *antiClickJackingEnabled* is set to true and *antiClickJackingOption* is set to DENY. This is ignored by the browsers firefox and chrome which uses the apache settings whereas IE and Edge uses these filter definitions.
Resolution
The packaged web.xml file from JIRA binaries have the above filters commented. In case the above errors or symptoms are seen, verify the web.xml file for any of the filters being enabled and disable them. In some cases, there are no proxies configured for JIRA and hence the clickjacking policy protection was driven by web.xml.
In case you want to use IE or Edge along with the above filter definitions enabled in web.xml, you will have to explicitly set the X-frame option as follows
<filter> <filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>In case your Jira instance is connected to confluence through application link, you may have to modify *antiClickJackingOption* with ALLOW-FROM param value and add the confluence website link.