Knowledge base articles cannot be displayed in the Service Desk customer portal (error: "Refused to display" or "didn't send any data")
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Knowledge base articles cannot be displayed in the Service Desk customer portal iframe:
Either of the variant errors below might be displayed in the Jira User Interface:
- the error "refused to connect"
- the error "didn't send any data"
- The KB page continuously loads:
Either of the following error is thrown in the browser console (on Jira appplication side):
Error 1:
Refused to display 'XXXXXXXXXXX/plugins/servlet/remotepageview?pageId=XXXXXX' in a frame because it set 'X-Frame-Options' to 'deny'.
Error 2:
Refused to display 'XXXXXXXXXXX/plugins/servlet/remotepageview?pageId=XXXXXX' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Error 3:
XXXXXXXXXXXX didn't send any data
Error 4:
"Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." in the browser's console and the contents are not displayed as expected.
Error 5:
GET https://www.gravatar.com/avatar/68042e0e1470946dc3224200a7f816d9?d=mm&s=48 net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 (OK)
Uncaught TypeError: Cannot read properties of null (reading 'classList') at HTMLDocument.onDocumentLoad (VM53:647:19)
If you are getting the error below instead in the Browser Console, then this article is not relevant and the suggestions listed in it will not help:
In such case, please refer to this other article: Knowledge base preview is failing with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console
Environment
- Jira Service Management Server/Data Center (any version) with Confluence Server/Data Center (any version); or
- Jira Service Management Server/Data Center (any version from 4.12.0) with Confluence Cloud
Cause
Case where Confluence Server (or Data Center) is used as a Knowledge Base
Confluence comes out-of-the-box with the X-Frame-Options header set to sameorigin, as per the KB article Confluence page does not display in an iframe. This header was added in Confluence 5.18.15 to implement the feature request UI Redressing (Clickjacking).
The expected behavior in a fresh vanilla Confluence Server instance without any customization nor reverse proxy/3rd party SSO integration, is described below:
- When accessing most Confluence URLs, the X-Frame-Options header is set to sameorigin
- When accessing some specific Confluence URLs such as the ones with the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXX, the X-Frame-Options header is not set. The reason why URLs with the pattern /plugins/servlet/remotepageview?pageId= do not have the X-Frame-Options header set is to allow external applications such as Service Desk to display Confluence KB article in an iFrame.
The X-Frame-Options header can be customized and overwritten in various ways:
- Via a reverse proxy, if Confluence is configured behind one
- By adding a security filter in either of the 2 web.xml files in located in the Confluence installation folder, at these 2 locations:
- <confluence-installation-folder>/conf/web.xml
- <confluence-installation-folder>/confluence/WEB-INF/web.xml
If this header is set to either sameorigin or deny by a proxy server or a security filter regardless of the type of Confluence URL, then it will become impossible to display any Confluence KB article in the Service Desk portal, since this header will prevent the content of this URL from being displayed in an iFrame.
Additionally, in Confluence 8.5.7, a new change was introduced. This change included the addition of the following response header, which is meant to add clickjacking protection to Confluence by default:
Content-Security-Policy: frame-ancestors 'self'
The downside of adding such security header is that the browser will refuse to show the content of the KB article in the iFrame on the customer portal.
Root cause 1
Confluence is running behind a reverse proxy which adds an X-Frame-Options header with the DENY or SAMEORIGIN value
Root cause 2
Confluence is running behind a reverse proxy/IdP provider (such as Microsoft Azure) which comes with an SSO integration and automatically redirect Confluence to the IdP login page and adds an X-Frame-Options header with the DENY or SAMEORIGIN value
Root cause 3
One of the 2 web.xml file from the Confluence application is configured with a security filter, which adds an X-Frame-Options header with the DENY or SAMEORIGIN value. This might be the case if the solution from the KB article How to enable and configure HTTP Strict Transport Security (HSTS) response header on Confluence has been implemented in the Confluence application.
Root cause 4
Confluence is on any version from 8.5.7. This version introduced the CSP header (Content-Security-Policy), which prevents the customer portal from displaying any KB article in an iFrame.
You can find more information about this root cause and its corresponding workaround in the article KB preview is failing with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console
Root Cause 5
Jira is running behind a reverse proxy and adds an Cross-Origin-Embedder-Policy header with the require-corp value.
Case where Confluence Cloud is used as a Knowledge Base
Root Cause 6
Since Jira Service Management 4.12.0, it is now possible to configure projects with a Knowledge Base space coming from Confluence Cloud, as explained in Set up a knowledge base with Confluence Cloud.
If the Confluence application (and/or the Confluence space used for the KB integration) is not configured with Anonymous Access, then customers will be required to log into Confluence to view any KB article.
If the customer is not logged into Confluence, instead of displaying the KB article or the log in screen in an iFrame from the Customer Portal, the following will happen:
in Chrome:
a grey page will show in the iFrame. There is a link available on the page which allows the user to open the page in a new window, so that they can log into Confluence Cloud. However, this link is very small and can be easily missed:
Open Site in New Window
Also, the following error will be displayed in the browser console:
Refused to display 'https://id.atlassian.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
in Firefox, the following message will appear in the iFrame:
Firefox can't open this page. Open Site in New Window
- in Safari: The issue is not present, however Safari opens each KB article in a new tab instead of the iframe
When integrating Service Desk Server with a Confluence Cloud Space to serve customers with a knowledge base, the customers are required to be logged in to Confluence Cloud for the Integration to work seamlessly. However, since the Confluence Cloud login page sets the header 'X-Frame-Options' to 'sameorigin', the login page will not be displayed and the user will have to click on the "Open site in New window" button to be able to log into Confluence Cloud, and view the KB article.
This behavior is intended by design (due to how the Confluence Cloud login page works), is a suggestion ticket to improve this behavior is tracked in JSDSERVER-7175 - Getting issue details... STATUS .
Diagnosis
- Open the Browser Developer tools whilst replicating the KB display issue in the Jira Service Desk portal
- In the Network tab, look for any of the below:
- Look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
- Check if the X-Frame-Options header is set in the Response Headers. If the header value is set to either sameorigin or deny, then this KB article is relevant to the issue you are facing:
- Check if the X-Frame-Options header is set in the Response Headers. If the header value is set to either sameorigin or deny, then this KB article is relevant to the issue you are facing:
- Look at any of the Jira urls
- Check if the Cross-Origin-Embedder-Policy header is set in the Response Headers. If the header value is set to require-corp, then this KB article is relevant to the issue you are facing:
- Check if the Cross-Origin-Embedder-Policy header is set in the Response Headers. If the header value is set to require-corp, then this KB article is relevant to the issue you are facing:
- Look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
Alternatively, click on the Console tab that may display the HTTP header that is blocking the request. e.g.
The loading of "https://twiki.company.com.au/plugins/servlet/remotepageview?pageId=1234" in a frame is denied by "X-Frame-Options" directive set to "sameorigin".
Refused to display 'https://twiki.company.com.au/' in a frame because it set 'X-Frame-Options' to 'deny'.
If no obvious errors show in the Console
For Chrome users: Try replicating the issue with Chrome.
In Chrome's console panel, press the "NNN" issues on the right to see hidden errors in the Security section. e.g.
- For Edge users: Try replicating the issue with Edge.
In Edge's console panel, press the "Expand quick view" button on the bottom right to see hidden errors in the Security section. e.g.
Verifying root cause 1 (Reverse Proxy server)
- If Confluence is running behind a reverse proxy, try to bypass the reverse proxy by adding an un-proxied connector to the server.xml file of the Confluence application (as per How to bypass a proxy to test network connectivity).
- After that, run either of the 2 tests listed below
- Test 1:
- Log into your Confluence instance in a browser by using the URL http://<CONFLUENCE_IP_ADDRESS>:<UN_PROXIED_PORT>
- In the same browser, try to open the problematic Confluence URL http://<CONFLUENCE_IP_ADDRESS>:<UN_PROXIED_PORT>/plugins/servlet/remotepageview?pageId=XXXXXX which had the X-Frame-Options header set to sameorigin or deny
- If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the reverse proxy server
- Test 2 (in case you can't access Confluence in a browser using its IP address):
- SSH into the Linux server where the Confluence application is running (assuming that Confluence is running on Linux)
Run the following CURL command:
curl -v "http://localhost:<UN_PROXIED_PORT>/plugins/servlet/remotepageview?pageId=XXXXXX"
- Check the response
- If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the reverse proxy server
Verifying root cause 2 (Reverse Proxy server + SSO login redirection)
- Collect a HAR file while replicating the issue
- If you see in the HAR file that there is a redirection to an IdP provider URL such as login.microsoftonline.com (from Microsoft in this example) and that this redirection adds the HTTP header X-Frame-Options: DENY (as shown in the screenshot below), then the Root Cause 2 is relevant:
- The header added by the SSO provider blocks the browser from loading the content in an iframe. In the case of Microsoft, it is a security feature of Microsoft login service to assist prevent phishing style attacks
Verifying root cause 3 (security filter in one of the two web.xml file)
- Open the 2 following files in a text editor
- <confluence-installation-folder>/conf/web.xml
- <confluence-installation-folder>/confluence/WEB-INF/web.xml
- Look for the XML tag <filter-name>httpHeaderSecurity</filter-name>
- Check if this tag is configured similarly to any of the examples listed below:
Example 1 (antiClickJackingOption set to DENY)
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class&amp;gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&amp;gt; <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Example 2 (antiClickJackingOption set to SAMEORIGIN)
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class&amp;gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&amp;gt; <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Example 3 (antiClickJackingOption not set to any value => by default, the DENY value will be used)
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class&gt;org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&gt; <async-supported>true</async-supported> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
If you see any variation of the examples listed above, follow the steps below:
- Remove the filter completely from any of the 2 web.xml files
- Re-start the Confluence application
- Log into Confluence
- In the same browser, try to open the problematic Confluence URL /plugins/servlet/remotepageview?pageId=XXXXXX which had the X-Frame-Options header set to sameorigin or deny
- If the X-Frame-Options header is no longer set to sameorigin nor deny (it should not be set at all), then we know that the problem was from the security filter configured in 1 or both of the 2 web.xml files
Verifying root cause 4 (issue caused by Confluence Server/Data Center 8.5.7)
If you are using Confluence 8.5.7 or any higher version, and if you see the error below in the Console log, then this Root Cause is relevant:
Content-Security-Policy: frame-ancestors 'self'
Verifying root cause 5 (issue caused by Jira with Cross-Origin-Embedder-Policy set to require-corp)
- Open the Browser Developer tools whilst replicating the KB display issue in the Jira Service Desk portal
- In the Network tab:
- Look at any of the Jira urls
- Check if the Cross-Origin-Embedder-Policy header is set in the Response Headers. If the header value is set to require-corp, then this Root Cause is relevant:
- Check if the Cross-Origin-Embedder-Policy header is set in the Response Headers. If the header value is set to require-corp, then this Root Cause is relevant:
- Look at any of the Jira urls
Alternatively, click on the Console tab that may show this error in Edge browsers:
Uncaught TypeError: Cannot read properties of null (reading 'classList') at HTMLDocument.onDocumentLoad (VM184:647:19)
If no obvious errors show in the Console
For Chrome users: Try replicating the issue with Chrome.
In Chrome's console panel, press the "NNN" issues on the right to see hidden errors. e.g.
Specify a Cross-Origin Resource Policy to prevent a resource from being blocked
- For Edge users: Try replicating the issue with Edge.
In Edge's console panel, press the "Expand quick view" button on the bottom right to see hidden errors. e.g.
Specify a Cross-Origin Resource Policy to prevent a resource from being blocked
Verifying root cause 6 (integration with Confluence Cloud)
If the 3 following conditions are verified, then this root cause is relevant:
- the knowledge base space is coming from Confluence Cloud (instead of Server/Data Center)
- the Confluence Cloud application (and/or the Confluence space) is not configured with Anonymous access
- if the user who is trying to view the KB article has not logged into Confluence Cloud yet
Solution
Solution for Root cause 1 (reverse proxy server):
Remove any configuration in your reverse proxy server that sets the X-Frame-Options header.
For example:
If you are using Apache, check if the following configuration is found in the file httpd.conf. If you find such configuration, remove it:
Header always append X-Frame-Options SAMEORIGIN OR Header always append X-Frame-Options DENY
If you are using Nginx, check it if is configured with the header shown below. If you find such configuration, remove it:
add_header X-Frame-Options "SAMEORIGIN"; OR add_header X-Frame-Options "DENY";
Solution for Root cause 2 (reverse proxy server + SSO login redirection):
Reach out to your proxy server administrator, or to the support team of the proxy server company for assistance on how to remove or modify the X-Frame-Options header, or alternatively on how to prevent the redirection to the SSO login page when KB articles are opened from an iFrame.
Solution for Root cause 3 (security filter in web.xml):
Option 1
Remove any security filter configured in either of these 2 files:
- <confluence-installation-folder>/conf/web.xml
- <confluence-installation-folder>/confluence/WEB-INF/web.xml
Option 2
If there is a security filter configured in either of the 2 files listed in Option 1, and removing it is not an option for you, add the following parameter underneath the security filter, in order to allow the Jira application to open the KB article in an iFrame.
Make sure to replace <jira-base-url> with Jira's Base URL.
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value><jira-base-url></param-value>
</init-param>
Solution for Root cause 4 (issue caused by Confluence Server/Data Center 8.5.7)
As suggested, in the article KB preview is failing with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console, we can use the http.header.security.content.security.policy.value value to make secure for the specific domains. By default, this value is just frame-ancestors ‘self' but you could override it to add your exempt domain:
Content-Security-Policy:frame-ancestors 'self'
This policy prevents the page from being embedded in iFrames on any other domains. It's a security measure to mitigate risks associated with clickjacking attacks and unauthorized framing of your content on other websites.
- Shut down Confluence
Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change <JIRA hostname> with yours before applying configuration.); – See Configuring System Properties for more on setting System Properties.
CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA hostname>\" ${CATALINA_OPTS}"
- Restart Confluence (all nodes if you are using multi-node DataCenter cluster)
Solution for Root cause 5 (Reverse proxy setting Cross-Origin-Embedder-Policy to require-corp):
Remove any configuration in your reverse proxy server that sets the Cross-Origin-Embedder-Policy header.
For example:
If you are using Apache, check if the following configuration is found in the file httpd.conf. If you find such configuration, remove it:
Header always append Cross-Origin-Embedder-Policy require-corp
If you are using Nginx, check it if is configured with the header shown below. If you find such configuration, remove it:
add_header Cross-Origin-Embedder-Policy require-corp;
Alternatively, if Jira Service Management and Confluence are running on the same sub domain (e.g. jira.mycompany.com and wiki.mycompany.com), try setting the Cross-Origin-Embedder-Policy header value to same-site.
Solution for Root cause 6 (integration with Confluence Cloud):
Option 1
Firefox: Click on the button displayed in the place of the article and log in to Confluence in another tab. Then you can go back to the Customer Portal and view all the articles you have access to.
Chrome, Firefox and other browsers: Click on the "View article in new window" link that is displayed below where the article should be.
Option 2
Configure the Confluence Cloud instance with anonymous access, as per Setting Up Public Access.
In addition to this, also configure the Confluence Cloud KB Space with anonymous access:
With such configuration, Service Desk customers will no longer have to be logged into Confluence Cloud to view any KB article, and the KB article will be displayed in the iFrame.