Knowledge Base article viewed from the Customer portal have broken or missing images

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

 

Summary

Knowledge Base article images are not rendered when the article is viewed from the Customer portal: the images are either missing or instead a broken image is displayed:


Normally, all the images from the Confluence page should be displayed in the Customer portal iFrame:

  • KB article page, when viewed directly from the Confluence application:
  • KB article, when viewed from the Customer Portal iFrame, and when everything is working as expected:



This article is meant to explain why images might be missing or not rendered correctly, and how to fix this issue.

Environment

  • Jira Service Management (JSM) Server/Data Center on any version from 4.6.0
  • Confluence Server/Data Center on any version from 7.2.0
  • Confluence is not configured with anonymous access, which means that any user needs to log into the Confluence application to access its content
  • The JSM and the Confluence application are configured with an application link using "Oauth (Impersonation)", and both applications have the same set of users

Diagnosis

Generate a HAR file and also save the content of the Browser Development Console while replicating the issue with the KB article images.

HAR file Analysis

Open the HAR file in any HAR file analyzer tool:

  • Look for the POST request sent from the browser to the Confluence application to the URL <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXXXX, and check its response
    • You should see that the Confluence application returns with a user session cookie (JSESSIONID), which the browser is supposed to use for any subsequent request sent to Confluence:
  • Check any subsequent request sent from the browser to any Confluence resource (such as the images URL which fail to be loaded/rendered), and notice that the browser did not include the Confluence Session cookie:
  • Note that, depending on the browser, the request sent to load the KB images might either return with:
    • a 403 HTTP code in some cases
    • a 302 HTTP code in most cases, along with a redirect to Confluence's login page: this is because the request was sent to Confluence without the user session cookie and therefore Confluence requires some authentication to be done.

In a healthy environment (when the issue does not occur), you should see in the HAR file that the browser is including the Confluence Session Cookie (JSESSIONID) for any request sent to Confluence to populate the iFrame with the images, resulting in a response with the HTTP 200 code:

  • Session Cookie obtained from Confluence:
  • Request sent from the browser to Confluence to load images, which includes the Session Cookie, and which gets a successful response with the 200 HTTP code:

Browser Console Analysis

Depending on the browser that is being used, you might see some warnings in the browser console showing that the browser is rejecting the Confluence session cookie (JSESSIONID) as it is detected as a 3rd party cookie (as shown in the screenshot below taken while using Firefox):

This error basically means that the browser refused to use the Confluence session cookie while trying to sent requests to Confluence to populate the iFrame in the Customer Portal, due to security reasons.

If you find such warnings in the console, and if you see in the HAR file that the browser did not include the Confluence session cookie in the request sent to fetch the images, then this KB article is relevant.

(warning) Note: depending on the browser that you are using (for example Microsoft Edge), it is possible that the Browser Console does not show any warning about the Confluence cookie. Keep it mind that this doesn't meant that this KB article is not relevant, because every browser has its own way to record logs. Microsoft Edge might also refuse to use the Confluence cookies, while at the same time it is not logging any warning in the Browser Console.

Browser Developer Tool Network tab - Microsoft Edge

When using the Microsoft Edge browser, and when checking the Network tab of the Developer tool, you might see the following warning (which will not be captured by the HAR file) next to the Set-Cookie header from the response to the request <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXXXX:


When translated in English, the warning says the following:

This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage.

This error means that the Microsoft Edge Browser automatically set the attribute SameSite of the Confluence JSESSIONID cookie to "SameSite=Lax" and depending on how the browser is configured, this cookie might be blocked from being used in an iFrame.

Cause

This issue comes from the fact that Confluence Server/Data Center does not implement the SameSite attribute for its session cookie. This limitation is tracked in the public ticket linked below:

CONFSERVER-59298 - Getting issue details... STATUS

Because of that, depending on how a browser is configured in terms of privacy/security, this browser might block the Confluence Session cookie (JSESSIONID) from being used in an iFrame. Since the Customer Portal needs to load the Confluence KB in an iFrame, the KB images might fail to be loaded if the browser blocked the Confluence cookie.

Depending on the browser used to replicate the issue and depending on how it's configured, the setting that impacts the usage of cookies might be different. It is possible that the problematic setting is coming from either a user's local browser setting, or a browser setting which is managed at your organization level (via a Group Policy settings for Windows users).

  • We found that with Firefox, if the Privacy & Security setting is set to Custom → Block all third-party cookies, the Confluence session cookies might get blocked (although we also saw that in other situations, this setting might not block the Confluence session cookies).
  • As for Microsoft Edge, the Privacy & Security setting might be managed by your IT Team via Group Policy Objects (GPO). Therefore, even if your Microsoft Edge browser is not configured locally to block cookies, it might be blocked at a higher level by your IT team

Solution

Resolving the issue at the browser level

The solution will depend on which browser is in use, and on how it is configured (at the user level? at the whole company level?).

Firefox

For this browser, we found that one way to fix the issue is to set the Privacy & Security setting is set to Standard, in order to allow the browser to use the Confluence Cookie in the Customer Portal iFrame:

Microsoft Edge

For this browser, we recommend to:

  • reach out to your IT Team
  • have them open the Group Policy Editor
  • Go to (Computer Configuration or User Configuration) > Policies > Administrative Templates > Microsoft Edge > Content settings > Revert to legacy SameSite behavior for cookies on specified sites
  • Add the Confluence domain

For more information about this configuration, you can refer to the following links:

Resolving the issue at the Confluence application level

Alternatively, you can fix the issue at the Confluence level by implementing the SameSite attribute for the JSESSION cookie either via a Tomcat configuration, or a Reverse proxy configuration.

For more information about this solution, please refer to the workaround section of the public ticket CONFSERVER-59298 - Getting issue details... STATUS


Last modified on Dec 15, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.