I've had to make some security related changes to our Jira server relating to the entry in the server.xml for the Connector on port 8443.
In particular I have sslEnabledProtocols="TLSv1.2", and a host of restricted ciphers.
This seems to have broken the Issue Collectors.
I created the basic example Issue Collector and inserted the script into a simple html file. When I view the html file, it correctly shows the Provide Feedback button. However, clicking the button simply puts up the spinning wait symbol and it spins and spins.
Watchng the access_log shows the request comming in and returning a 200.
10.75.112.36 731x7483x1 mhusby [26/Jul/2017:12:11:20 -0400] "GET /jira/rest/collectors/1.0/template/form/81571e01?os_authType=none HTTP/1.1" 200 4210 111 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8" "1c6vw36"
but nothing gets rendered.
Inspecting the HTML shows two errors that says
Refused to display 'https://.../rest/collectors/1.0/template/form/81571e01?os_authType=none" in a frame because it set X-Frame-Options to 'SAMEORIGIN'
Unable to post message to 'https://...:8443" Recipient has origin null.
Have discovered that if I put my test html on the JIRA server, the form does display. So the problem remains, what setting needs to be changed to allow the form to be displayed on pages from our other web servers.
This sounds like a problem with your proxy settings. I did a check on my Cloud instance and my on-premise instance and I did not see the set X-Frame-Options: "sameorigin" option, however, I would check your configuration using curl and the -I flag. See if that is one of the headers being returned and if so you'll need to modify your proxy settings.
If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.
There are a few Communities post discuss this problem that may help. One is titled JIRA IssueCollector X-Frame-Origin problem and another is Issue Collector does not load….
Take a look at those and hopefully it will provide some clues as to what changes you need to make on your proxy to get the Issue Collectors working as normal again!
After looking into previous JIRA versions, I realized that the SAMEORIGIN setting had been required by our security team. I've looked into ways of configuring Tomcat so that it excludes the SAMEORIGIN setting based on a URL. However, the different browsers do not currently support the different security headers consistently.
We've decided to change our apps to instead bring up a Service Desk page in a different window. That will get around the SAMEORIGIN problem.
Thanks for the pointers.
I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events