JIRA Gantt Chart add-on gadget will not display in Confluence - get error message

Anyone seen this error/warning when trying to use this gadget in Confluence:

Security Aspect:

You are not allowed to request content from within the JIRA Gantt-Chart gadget, most likely due to your same-origin-policy!

9 answers

1 accepted

Accepted Answer
1 vote

Hi Ryan,

that's not a bug: it is a problem of your infrastructure set-up. Your browsers detect that security violation and prevent loading data in the background. You can find more information about "same origin policy" using Google/Yahoo or what search engine you prefer.

Your internet-protocol, domain and port must be the same for JIRA and Confluence like http://x.y.z:8080/jira and http://x.y.z:8080/confluence. If you configure your Atlassian systems like this, it works quite well and your users will be happy and secure as well!

I will not implement a workaround to disable the browsers default behaviour, which opens security holes as it really make sense to have that. Just image, you are browsing a web-site and content is loaded in the background from http://hacker.com or something equivalent!

Regards,
Frank

I believe I was encountering this issue and have managed to resolve it with a few deeper tweaks.

First, my problem:

We wanted to separate our jira and confluence servers for both simpler urls and discrete resource management. So I moved confluence from issues.server.com/confluence to wiki.server.com.

I left our jira server at issues.server.com/jira

Suddenly, the gantt charts aren't displaying. Same Origin policy error in browser console, ah crud.

My Solution:

I used CORS to solve this. This required a change to the apache config (enabling CORS for the trusted server) on the jira server and modifying a JS file within the JPlugs plugin jar file.

Here's the change to your virtual host in apache:

# Enable CORS for http(s)://*.YOURDOMAIN Origins
  <IfModule mod_headers.c>
    SetEnvIfNoCase Origin "(http(s)?://)((.+)\.)?(YOURDOMAIN)$" AccessControlAllowOrigin=$1$3$5
    Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin

    SetEnvIfNoCase Access-Control-Request-Method "(.+)" AccessControlRequestMethod
    Header set Access-Control-Allow-Methods "GET,POST,HEAD" env=AccessControlRequestMethod

    SetEnvIfNoCase Access-Control-Request-Headers "(.+)" AccessControlRequestHeaders
    Header set Access-Control-Request-Headers "X-Requested-With" env=AccessControlRequestHeaders
  </IfModule>

And I changed com/jplugs/plugin/gantt/includes/jsjplugs/jplugs-js-gantt.js within the plugin jar. Around line 1448, we see:

if (window.XMLHttpRequest)
 {
         xhttp=new XMLHttpRequest();
 }
 else // IE 5/6
 {
         xhttp=new ActiveXObject("Microsoft.XMLHTTP");
 }
 xhttp.open("GET",content,false);
 xhttp.send();
 xmlDoc=xhttp.responseXML;

Simply add a line after creating a new XMLHTTPRequest object:

if (window.XMLHttpRequest)
 {
         xhttp=new XMLHttpRequest();
         xhttp.withCredentials=true;
 }
 else // IE 5/6
 {
         xhttp=new ActiveXObject("Microsoft.XMLHTTP");
 }
 xhttp.open("GET",content,false);
 xhttp.send();
 xmlDoc=xhttp.responseXML;

That will instruct the browser that its OK to send cookies in cross domain requests utilizing the CORS headers in the request/response.

Note that this requires you to edit the plugin, which likely means you void the warranty or support agreement or EULA or someones patent. Take Frank's warning seriously and only use my hack if you really need to.

Chad, for what version of plugin is your solution?

I could not find com/jplugs/plugin/gantt/includes/jsjplugs/jplugs-js-gantt.js within plugin_1133294473520394069_gantt-2.4.0-JIRA5.2-UPM2.10.jar

Looks like we're on version 2.2.0 still.

Good job, thank's for publishing your CORS-based solution. I have updated my source code an included the following code snippet within the Gantt-Gadget:

xhttp.withCredentials=true;

It will be published with Gantt-Chart v2.4.1 soon.

Regards,
Frank

Great to hear, thats one less hack I have to maintain going forward. Thank you! :)

"jsjplugs/jplugs-js-gantt.js" is a different addon and NOT my Gantt-Chart addon (please see on Atlassian Marketplace)!

Regards,
Frank

Chad, can you clarify, did you solve issue with Frank's plugin (and what corrections did you make to that plugin) or with some other plugin?

I'm sorry Frank, I should of paid more attention to the labels.

My mod is for com.jplugs.plugin.gantt, version 2.2.0, which is not what this question was about. Apologies for the confusion.

I have some progress on this issue. In fact I got it working for some time.

Thanks to Frank he send me a pre-release of version 2.4.1 of his plugin. I configured apache as Chad recommended

The only thing that was missing - apache module headers.c was not enabled by default

I uncommented this string in httpd.conf

LoadModule headers_module modules/mod_headers.so

and voila, it works! Gadget contents showing in confluence.

I tried to show the result to another user and all he saw was JIRA logon screen instead of Gantt chart.

I made logoff/logon in JIRA and Confluence on my machine, and after that I got JIRA logon screen inside of a gadget in Confluence.

And since than I can never get it back working :(

I tried logging in and out, reinstalled plugin, but no use.

JIRA logges this line

2013-10-31 14:03:22,526 http-bio-8080-exec-5 WARN anonymous 843x2100x1 - 10.0.109.90,10.0.109.115 /plugins/servlet/gantt-issues [jira.plugins.servlet.GanttServlet] user is not logged in -> force redirect to login screen

Please someone give me a hint.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 11, 2018 in Confluence

What are your project planning tips?

Hello Community,  Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...

248 views 1 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you