Refused to connect to 'https:marketplace.atlassian.comrest2geoip' because it violates the following Content Security Policy directive: connect-src 'self'

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Unable to update third-party Marketplace app nor can we expand the third-party Marketplace app details due to Content Security Policy violations captured with browser's Developer Tools:

  • Network trace:
  • Console log:

Environment

Jira with Reverse Proxy Server

Diagnosis

The Content Security Policy violation seized as we test the same bypassing the reverse proxy.
Check the Content Security Policy setup at the Reverse Proxy server:

  • Apache:
    Check the setup within the relevant virtual host configuration defined in httpd-ssl.conf/httpd.conf file, e.g:

    <Proxy *>
    
    		Header set "Content-Security-Policy" "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; 			font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self';"
    
    </Proxy>
  • Nginx:
    Check the setup within the relevant server configuration defined in nginx.conf file, e.g:

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; 			font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self';";

Cause

As per Content Security Policy Reference, Content-Security-Policy (CSP) is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The CSP header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

When CSP is defined at the Reverse Proxy in front of Jira application, restriction is imposed to the page loading. In this use case, we need to make sure Atlassian Marketplace is allowed in connect-src and img-src CSP directives.

Solution

Update the Content Security Policy setup at the Reverse Proxy server:

  • Apache:
    Check the setup within the relevant virtual host configuration defined in httpd-ssl.conf/httpd.conf file. Add marketplace.atlassian.com to connect-src and img-src CSP directives:

    <Proxy *>
    
    		Header set "Content-Security-Policy" "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' marketplace.atlassian.com; img-src 'self' marketplace-cdn.atlassian.com data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self'"
    
    </Proxy>
  • Nginx:
    Check the setup within the relevant server configuration defined in nginx.conf file. Add marketplace.atlassian.com to connect-src and img-src CSP directives:

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' marketplace.atlassian.com; img-src 'self' marketplace-cdn.atlassian.com data:; style-src 'self' 'unsafe-inline'; 			font-src 'self' data:; object-src 'self'; media-src 'self'; frame-src 'self'; child-src 'self'; form-action 'self';";



Last modified on Sep 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.