X-Frame-Option on Jira JSP pages

3layer (expert) March 2, 2012

Hi guys.

We have a costumer that wanna make an upgrade of he Jira Instance.
But, we got a problem in this process, they use somekind of Scanner (PCI Scan) in their Network to check system threats and this scanner is acusing a problem of "Possible Clickjacking vulnerability" so, the recommended solution is to set the meta information X-Frame-Options in several pages to avoid the inclusion of external pages (i.e address that isn't in the same Jira's domain) in Jira Gadgets.
I Would like some help since i have made this change on '/secure/ViewKeyboardShortcuts!default.jspa' and the generated HTML code in Browser doesn't correspond to this changes.
There are some other location that i should make this changes?

Jira 4.4.5

2 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Marc Jason Mutuc
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 13, 2014

I'm also encountering this problem. When I add the header script on httpd.conf file, no one can login on JIRA. Any thoughts?

0 votes
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 2, 2012
In this issue https://jira.atlassian.com/browse/JRA-25793 there is a solution how to set meta information to control browser compatibility. It should be possible to add more meta information for your use case in header.jsp
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 2, 2012
If you need to be more specific about the page where you include your information i think it's necessary to define a decorator (search for decorators.xml and google for sitemesh) and to apply this to the pages in question. Though i must admit that i haven't yet made any experience with that but i am sure someone else here has
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 2, 2012
There is another way to male your solution more deployable using a servlet filter plugin. please check this: https://developer.atlassian.com/display/JIRADEV/Servlet+Filter+Plugin+Module Since meta information can also be returned as a response header your filter would just write the response header x-freme-options to the servlet response. This would automatically be done for the URLs specified in atlassian-plugin.xml
TAGS
AUG Leaders

Atlassian Community Events