Knowledge base preview is failing on the customer portal with a "Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." error in browser's console
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The Preview for the Knowledge Base articles fails in the Customer Portal with 2 different errors
"Refused to frame 'site' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"."
"Refuse to display <KB_Link> is a frame because it set chromewebdata/:1 'X-Frame-Options' to 'sameorigin'"
Issue 1
When attempting to preview a Knowledge Base article from the JSM (Jira Service Management) Customer portal, customers receive an error message in the iframe popup "<confluence site URL> refused to connect":
The below error is found in the browser console:
"Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'"." in the browser's console and the contents are not displayed as expected.
Issue 2
- We might also see an error in the HAR file related to the X-Frame-Options
Environment
Jira Service Management Server/Data Center (any version), integrated with Confluence Server/Data Center (any version from 8.5.7 )
Diagnosis
For Issue 1:
- Record a HAR file while replicating the Knowledge Base display issue in the Service Desk portal
- Open the HAR file, and look for the URL which has the format <CONFLUENCE_BASE_URL>/plugins/servlet/remotepageview?pageId=XXXXXX
- Check the browser console output for the "Refused to frame '<CONFLUENCE_BASE_URL>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'" error.
- Check the value for content-security-policy in the response headers to validate it is frame-ancestors 'self'
For Issue 2
- Create a Page in Confluence
In another site use this HTML to embed the Page in an
iframe.
HTML PAGE<iframe src="http://confluence.mycompany.com/display/SPC/My+Page"></iframe>- Review the console in the browser with Developer Tools (Ctrl+Shift+i)
Cause
This issue is caused by a change introduced in Confluence 8.5.7. This change included the addition of the following response header, which is meant to add clickjacking protection to Confluence by default:
Content-Security-Policy: frame-ancestors 'self'The downside of adding such security header is that the browser will refuse to show the content of the KB article in the iFrame on the customer portal.
There is a Confluence bug related to the topic being track here - CONFSERVER-95123 - Getting issue details... STATUS
Since Confluence 5.8.15 the headers below have been included to stop clickjacking. You can read the original bug report here: CONFSERVER-29230 - UI Redressing (Clickjacking) CLOSED
Content-Security-Policy:frame-ancestors 'self'
X-Frame-Options:SAMEORIGINA fix for this problem is available if you’re using Confluence 8.5.9, 8.9.1 or later.
If you’re using any other versions of Confluence, use the solution below to workaround the problem.
If you have used this workaround and you’ve upgraded to Confluence 8.5.9, 8.9.1 or later, you can remove this workaround from your system.
Solution
For Issue 1
We can use the http.header.security.content.security.policy.value value to allow specific domains to open Confluence pages in an iFrame. By default, this value is set frame-ancestors ‘self':
Content-Security-Policy:frame-ancestors 'self'This policy prevents the page from being embedded in iFrames on any other domains than Confluence. It's a security measure to mitigate risks associated with clickjacking attacks and unauthorized framing of your content on other websites.
To allow the JSM Customer portal to display Confluence articles in an iFrame, you can follow the steps below:
- Shut down Confluence
Set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to add the below argument to your setting for allowing only the Jira host to view Confluence content in an iFrame (please change <JIRA hostname> with yours before applying configuration.) – See Configuring System Properties for more on setting System Properties.
If Jira is not running as a service and the JVM parameters are configured in the setenv.sh or the setenv.bat file, please add the row below:
CATALINA_OPTS="-Dhttp.header.security.content.security.policy.value=\"frame-ancestors 'self' <JIRA hostname>\" ${CATALINA_OPTS}"
Be sure to replace "<JIRA hostname>" with the hostname of your Jira environment.If the Jira application is configured as a Windows Service, please add the Java option below in a new line (without the double quotes):
-Dhttp.header.security.content.security.policy.value=frame-ancestors 'self' <JIRA hostname> Be sure to replace "<JIRA hostname>" with the hostname of your Jira environment.
- Start Confluence (all nodes if you are using multi-node DataCenter cluster)
- Verify articles can now be displayed from the customer portal:
For Issue 2
Disable clickjacking protection from Confluence
Shut down Confluence
Please set the below JVM parameters (on all nodes if you are using multi-node DataCenter cluster) to disable security headers. See Configuring System Properties for more on setting System Properties.
To disable 'X-Frame-Options', please set the below JVM parameter
-Dconfluence.clickjacking.protection.disable=trueTo disable 'Content-Security-Policy', please set the below JVM parameter
-Dhttp.header.security.content.security.policy.disabled=true
- Restart Confluence (all nodes if you are using multi-node DataCenter cluster)
The Page will now appear in the iframe.