Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Setting up Content-Security-Policy for Atlassian products

tdeleeuw
tdeleeuw November 4, 2017

Hi

I have been looking for the right setting of CSP (Content-Security-Policy). I couldn't find it so I first tried with

Content-Security-Policy "default-src 'self';

but then my pages were not rendered correctly aymore.

It seems to be workling now with the following setting:

Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';  img-src 'self' data:";

Can anyone confirm this is the expected settings? Can I remove the unsafe-eval from the script?

Thanks

 

Answer
Watch
Like # people like this
11379 views

3 answers

2 votes
Tero Laihia
Tero Laihia November 6, 2017

I'd love some recommendation for this also. 

I've been testing CSP lately in our test environment (confluence 6.4.3, jira 7.4.0, apache 2.4.18 proxy), and so far it seems the only way to get it working is to define almost all CSP flags (thanks to https://content-security-policy.com, it has good description of those).

Here's example from one of our subdomain's virtual host config:

Header set Content-Security-Policy " \
 default-src 'self' *.mydomain.com; \
 script-src 'self' *.mydomain.com 'unsafe-inline' 'unsafe-eval'; \
 style-src 'self' *.mydomain.com 'unsafe-inline'; \
 img-src 'self' *.mydomain.com data:; \
 connect-src 'self' *.mydomain.com; \
 font-src 'self' *.mydomain.com; \
 object-src 'self' *.mydomain.com; \
 media-src 'self' *.mydomain.com; \
 frame-src 'self' *.mydomain.com; \
 child-src 'self' *.mydomain.com; \
 form-action 'self' *.mydomain.com; \
 "

We are using wildcard subdomain in CSP, this seems to allow our two subdomains (jira and confluence) to talk to each other.

We are still getting some errors from jira and confluence admin pages, because both local server instances are trying to load js file from jira.atlassian.com, which is now blocked by CSP. Whether thats fatal or not is still under investigation. 

View More Comments
tdeleeuw
tdeleeuw November 6, 2017

Hi

Thanks for you answer. I do not have the subdomain issue as I have mydomain.com/jira and mydomain.com/confluence ;-)

The JS content retrieved from Atlassian should probably be reported as a bug to Atlassian. Imagine one day they have a technical issue, then your "on-premises" instance can also be affected, or worse, if they get hacked, hackers could then inject anything they want straight into your admin console ;-(

If you do raise a bug, provide me the reference I will vote for it ;-)

Thanks

Thierry

Like
Sascha Ziemann
Sascha Ziemann January 17, 2019

Did you managed to write a working CPS header?

Like
Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 14, 2017

@Tero Laihia I got a response from the security team regarding an official recommendation for CSP settings. They let me know that 

we do not have a recommendation for CSP settings for our products and that adding in these headers can cause problems with functionality. While you may find a setting that works for a given product version, future updates may break that policy.

Based on this, it sounds like trial and error is the only way to find out what will work in your environment. If your team uses Content Security Policy headers, it makes it more important than ever to test any upgrades on a test system before upgrading Production applications.

View More Comments
Sascha Ziemann
Sascha Ziemann January 17, 2019

So it is impossible for a confluence server to reach an A grade on https://observatory.mozilla.org

This is beyond the pale.

Like # people like this
Tomasz Kustrzynski
Tomasz Kustrzynski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 22, 2020

Disappointing if this is still the case (still looking for documentation on this). Looks like low hanging fruit for Marketplace Security Bug Bounty Program researchers.

Like
Tomasz Kustrzynski
Tomasz Kustrzynski
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 22, 2020

Actually I managed to get A+, but had to leave "unsafe-inline" for styles, as all.js includes some :(

These results may not be possible with some types of apps I guess

Screenshot 2020-10-22 at 09.22.07.png

Like
Tilman Bender
Tilman Bender
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 3, 2021

@Tomasz Kustrzynski Could you share an anonymized version of the CSP that lead to that analysis?

Like
Luca Andreatta
Luca Andreatta
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 10, 2022

If I don't set unsafe-inline for script-src, dashboards are not loaded correctly.

@Tomasz Kustrzynski  could you tell me how do you configured it?

I used Tero Laihia CSP configuration, although observatory.mozilla.org tells me that it is not so secure.

Do you have any other configurations to use?

Like
Luca Andreatta
Luca Andreatta
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 15, 2022

Hi all,

this is how I configured for CSP in Apache:

Header set Content-Security-Policy " \
default-src 'self' *.mydomain.com; \
script-src 'self' *.mydomain.com marketplace.atlassian.com 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' *.mydomain.com 'unsafe-inline'; \
img-src 'self' *.mydomain.com *.atlassian.com data:; \
connect-src 'self' *.mydomain.com marketplace.atlassian.com; \
font-src 'self' *.mydomain.com; \
object-src 'self' *.mydomain.com; \
media-src 'self' *.mydomain.com; \
frame-src 'self' *.mydomain.com; \
frame-ancestors 'self' *.mydomain.com; \
child-src 'self' *.mydomain.com; \
form-action 'self' *.mydomain.com; \
base-uri 'self' *.mydomain.com; \
"

 

 

 

Like
Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 6, 2017

CSPs are usually set at the reverse proxy in front of a webserver. It sounds like you are using Apache? Our doc doesn't have a recommendation for that setting: Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http)

CSP recommendations for several proxies, including Apache, are in this third party doc I found: Secure your website with Content Security Policy

I am not sure what the unsafe-eval is or which script it is in. Please let me know more about this question, I will be happy to research it.

View More Comments
tdeleeuw
tdeleeuw November 6, 2017

Hi

Thanks for your answer.

I indeed set the headers at the reverse proxy (NGINX in my case).

Obviously the most secure approach is to use only scripts in external files (as it should be harder to create a file, than inject  content in a web page).

The eval method is used to execute the javaScript that is in a String. It is sometimes used to "parse" a JSON String to a JavaScript object. The issue is that if the reply contains actual JavaScript, it will be executed.

So if you want to reduce risk of JavaScript based attacks, it is safer to have all your javaScript in static files.

Best regards

Thierry

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 7, 2017

I am asking our security team about this, but most of them are in a different time zone, so it's slow going.

In the meantime, are the links in Branden's answer to the following question of help? Setting up Content Security Policy in JIRA

Like
tdeleeuw
tdeleeuw November 7, 2017

Thanks Ann, I have setup the Content Security Policy. it is mostly working, but I would like to know if it can be tighten.

Have a great (sunny) day in AU ;-)

Regards from cold Belgium ;-)

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 7, 2017

Please let me know as specifically as possible what I should ask our security team to help you tighten it. That will help us get a better answer.

I am in Austin, TX! The security folks are in Sydney.

I would be happy to lend you some of our sunny weather. :)

Like
Tero Laihia
Tero Laihia November 7, 2017

Those links in Branden's answers refer to obsolete X-Frame-Options, CSP's are replacing them. And X-Frame-Options dont support wildcard domains on rules.

So any "official" guide to CSPs would be nice to have.

Like Luca Andreatta likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events