Confluence Companion app NGINX (Content Security Policy) configuration

Tommy van Extel March 11, 2020

Since the last update of Companion, it is no longer working with our NGINX set-up. I found out that it is because of the CSP directive that we've set, but no matter the changes i make; nothing works.

Original CSP directive:

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

Result:

Refused to frame '' because it violates the following Content Security Policy directive: "default-src https: wss: blob: goedit:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

So i figured, let's add frame-src;

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; frame-src 'self'; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

 But now it reports;

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self'".

Kinda lost here, in the first place why it loads .... nothing? Just '', i'd expect a website there or something, but no matter the changes i make to frame-src, it keeps complaining.

What i tried:

frame-src 'self';
frame-src '*';
frame-src '';
frame-src 'self' data:;
frame-src '*.mydomain.com';
frame-src 'none';

 

Even tried to allow all frames via X-FRAME-OPTIONS as well as adding frame-ancestors and combining all of the above in various ways, but the result is the same.

Help is very much appriciated.

Thanks!

4 answers

2 accepted

1 vote
Answer accepted
Alex K
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 11, 2020

Hi @Tommy van Extel ,

Update: The fix is to add "frame-src atlassian-companion:;" to the content security policy. 

Original response: 

Confluence 7.3+ uses a hidden iframe to attempt to launch Companion's custom protocol (atlassian-companion). This allows us to avoid communicating via local WebSockets which caused many issues for our customers. We use a hidden iframe so that we don't redirect the page that the user is on.

The iframe is originally created with iframe.src="about:blank". We need to allow "about:blank" as an 'frame-src' in the CSP. However it is not valid to use "about:blank" in the CSP. I'm currently investigated what can be done. 

Regards,
Alex

Tommy van Extel March 12, 2020

Hi Alex,

Thank you very much. I tried about:blank later on as well but indeed, that's not accepted by CSP.

Thanks for your efforts.

Alex K
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 15, 2020

Hi @Tommy van Extel ,

From my testing, it turns out that the browser is blocking us from setting the iframe's href, not the src. Therefore you will be able to resolve the issue by adding `atlassian-companion:` to the default-src or frame-src list. 

For example: 

frame-src atlassian-companion:;

Regards,
Alex

Like Tommy van Extel likes this
Tommy van Extel September 21, 2020

Hi Alex,

It seems like this solution stopped working after we upgraded to Confluence 7.7.2. Any idea if something changed in the way it works? Our policy worked as communicated back then, but suddenly broke;

 

 add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src *.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:; frame-src atlassian-companion: 'self' *.zendesk.com" always;
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self' atlassian-companion: *.zendesk.com". 
0 votes
Answer accepted
Tommy van Extel March 16, 2020

Hi Alex,

I made the change as suggested and that indeed works, thank you very much! 

0 votes
Tommy van Extel June 10, 2020

@Brian 

 

I assume you checked the NGINX config with "nginx -t" and restarted it with the service command or "nginx -s reload"?

If you want feel free to share your config with me (change any references that contain your servernames/url's/certificates - confidential data)

Also, could you check with Chrome "Inspect" when trying the Companion edit mode? Issues will show up in the "Console" tab.

 

Edit; created a new post by mistake

0 votes
Brian June 9, 2020

Please allow me a "n00b" question . . .
In which file do you add these    frame-src...  changes? 

Tommy van Extel June 9, 2020

Hi Brian,

Do you use NGINX as a reverse proxy? Because you'll have to add it it to your site config in NGINX.

Brian June 9, 2020

Yes, I do that - "reverse proxy", I am told. 

Thanks for responding. 

I've also read now that since I only run Confluence 6.15.2 i *might* need to configure with 'something else' than frame-src? (add_header whatnots?) 

When trying to add an Office doc to an issue, and then Edit it, Confluence in browser will show the Office document just fine and then present the "Edit with" option in top right  (Firefox) . But...

The Companion app IS installed in every clients PC, but Confluence refuses to "see" that, and only pops up the message that Companion should be installed for either Mac/Windows (with links) And I just can't trace whare it checks and never finds that the app is oresent. 

I am afraid I have until now lived in complete and utter ignorance concerning proxies/revers or whatever ;) 
I hope you understand my issue - and not least have sime time to direct me towards an answer ;) 

Tommy van Extel June 9, 2020

Yeah on the server running NGINX you probably have a site config in either /etc/nginx/conf.d or /etc/nginx/sites-enabled/ (a file most likely named after your website). 

You indeed will have to add add_header, so the line will look like (this is what we use);

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:; frame-src atlassian-companion: 'self'" always;

Make sure you only have 1 "add_header Content-Security-Policy" entry :)

Brian June 9, 2020

Thanks a million, Tommy 
I've added your suggested Content-Securituy-Policy in my /etc/nginx/sites-enabled/confluence file and restarted nginx/confluence
It was added as in your setup - I don't see any sites specifics that might need adjusting here. 

But no dice  :/ - the website still claims that "I need to be connected to internet" to install the Companion App. The server is nowhere near Internet, and the Companion alledgedly IS installed on the PC. 
I guess our PC-installation team still needs to do some config on Companion or whatnot, because Confluence clearly does not see it as already available on the client machine.  

If you have a hint, I'd love it - otherwise thanks for having tried ;) 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events