It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence Companion app NGINX (Content Security Policy) configuration Edited

Since the last update of Companion, it is no longer working with our NGINX set-up. I found out that it is because of the CSP directive that we've set, but no matter the changes i make; nothing works.

Original CSP directive:

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

Result:

Refused to frame '' because it violates the following Content Security Policy directive: "default-src https: wss: blob: goedit:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

So i figured, let's add frame-src;

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; frame-src 'self'; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

 But now it reports;

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self'".

Kinda lost here, in the first place why it loads .... nothing? Just '', i'd expect a website there or something, but no matter the changes i make to frame-src, it keeps complaining.

What i tried:

frame-src 'self';
frame-src '*';
frame-src '';
frame-src 'self' data:;
frame-src '*.mydomain.com';
frame-src 'none';

 

Even tried to allow all frames via X-FRAME-OPTIONS as well as adding frame-ancestors and combining all of the above in various ways, but the result is the same.

Help is very much appriciated.

Thanks!

4 answers

2 accepted

1 vote
Answer accepted

Hi @Tommy van Extel ,

Confluence 7.3+ uses a hidden iframe to attempt to launch Companion's custom protocol (atlassian-companion). This allows us to avoid communicating via local WebSockets which caused many issues for our customers. We use a hidden iframe so that we don't redirect the page that the user is on.

The iframe is originally created with iframe.src="about:blank". We need to allow "about:blank" as an 'frame-src' in the CSP. However it is not valid to use "about:blank" in the CSP. I'm currently investigated what can be done. 

Regards,
Alex

Hi Alex,

Thank you very much. I tried about:blank later on as well but indeed, that's not accepted by CSP.

Thanks for your efforts.

Hi @Tommy van Extel ,

From my testing, it turns out that the browser is blocking us from setting the iframe's href, not the src. Therefore you will be able to resolve the issue by adding `atlassian-companion:` to the default-src or frame-src list. 

For example: 

frame-src atlassian-companion:;

Regards,
Alex

Like Tommy van Extel likes this
0 votes
Answer accepted

Hi Alex,

I made the change as suggested and that indeed works, thank you very much! 

Please allow me a "n00b" question . . .
In which file do you add these    frame-src...  changes? 

Hi Brian,

Do you use NGINX as a reverse proxy? Because you'll have to add it it to your site config in NGINX.

Yes, I do that - "reverse proxy", I am told. 

Thanks for responding. 

I've also read now that since I only run Confluence 6.15.2 i *might* need to configure with 'something else' than frame-src? (add_header whatnots?) 

When trying to add an Office doc to an issue, and then Edit it, Confluence in browser will show the Office document just fine and then present the "Edit with" option in top right  (Firefox) . But...

The Companion app IS installed in every clients PC, but Confluence refuses to "see" that, and only pops up the message that Companion should be installed for either Mac/Windows (with links) And I just can't trace whare it checks and never finds that the app is oresent. 

I am afraid I have until now lived in complete and utter ignorance concerning proxies/revers or whatever ;) 
I hope you understand my issue - and not least have sime time to direct me towards an answer ;) 

Yeah on the server running NGINX you probably have a site config in either /etc/nginx/conf.d or /etc/nginx/sites-enabled/ (a file most likely named after your website). 

You indeed will have to add add_header, so the line will look like (this is what we use);

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:; frame-src atlassian-companion: 'self'" always;

Make sure you only have 1 "add_header Content-Security-Policy" entry :)

Thanks a million, Tommy 
I've added your suggested Content-Securituy-Policy in my /etc/nginx/sites-enabled/confluence file and restarted nginx/confluence
It was added as in your setup - I don't see any sites specifics that might need adjusting here. 

But no dice  :/ - the website still claims that "I need to be connected to internet" to install the Companion App. The server is nowhere near Internet, and the Companion alledgedly IS installed on the PC. 
I guess our PC-installation team still needs to do some config on Companion or whatnot, because Confluence clearly does not see it as already available on the client machine.  

If you have a hint, I'd love it - otherwise thanks for having tried ;) 

@Brian 

 

I assume you checked the NGINX config with "nginx -t" and restarted it with the service command or "nginx -s reload"?

If you want feel free to share your config with me (change any references that contain your servernames/url's/certificates - confidential data)

Also, could you check with Chrome "Inspect" when trying the Companion edit mode? Issues will show up in the "Console" tab.

 

Edit; created a new post by mistake

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

4,117 views 4 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you