Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to disable new X-FRAM-OPTIONS security header

Volker Endriss
Volker Endriss December 19, 2017

Dear Support

 

After upgrade to Jira Software 7.6.1 i found out, that i can't embedd Jira sites on our Confluence page anymore via iframe. I found out that this is a new security feature (JRASERVER-25143). In this articel it's described, that one can disable this protection by setting the com.atlassian.jira.clickjacking.protection.disabled system property to true

There's also a site which should describe how to do the Setting properties and options. But this site describes how you set Java Options for the service. When i inserted the property "com.atlassian.jira.clickjacking.protection.disabled=true" in the Java Options the service won't start anymore. So it has to be done somehow differently. Hope you can help!

 

Kind regards

 

Ueli

Answer
Watch
Like Be the first to like this
8741 views

2 answers

1 vote
aurelain
aurelain January 5, 2018

I also tried the following options, but none worked:

  1. In setenv.sh:
    JVM_SUPPORT_RECOMMENDED_ARGS="-Datlassian.jira.clickjacking.protection.disabled=true  "

  2. In setenv.sh:
    JVM_SUPPORT_RECOMMENDED_ARGS="-Datlassian.clickjacking.protection.disabled=true"

  3. In web.xml:
    <filter>
          <filter-name>HTTP Header Security Filter</filter-name>
          <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
          <init-param>
            <param-name>antiClickJackingEnabled</param-name>
            <param-value>false</param-value>
          </init-param>
    </filter>

So, this is still unresolved...

View More Comments
somethingblue
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2018

Hi Aurelian,

Those look like the arguments for JIRA.  You need to configure this on the Confluence side.  See Confluence page does not display in an iframe for the correct arguments for Confluence. 

Additionally, take a look at the very last comment in the post titled How to remove or modify Confluence X-Frame-Options response header for another suggestion.

Cheers,

Branden

Like
aurelain
aurelain January 5, 2018

Hi, Branden.

My use-case is a little different: I actually need to embed my own JIRA in a normal webpage :).

(No Confluence envolved)

Cheers,
Aurelian

Like
Volker Endriss
Volker Endriss January 6, 2018

Hi Aurelian

 

To make work what you want you have to set the propertiy

"-Dcom.atlassian.jira.clickjacking.protection.disabled=true" to your JIRA Installation. This worked for me.

 

Cheers, Uli

Like
aurelain
aurelain January 6, 2018

Thank you very much, Ueli.

Indeed, the correct solution was to edit setenv.sh as follows:

JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.atlassian.jira.clickjacking.protection.disabled=true"

The Attlassian Team should also update the Setting properties and options page accordingly.

Like Ievgenii Vasiuk likes this
Reply
0 votes
somethingblue
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 19, 2017

Hi Ueli,

I get the same behavior in JIRA, however, according to Confluence page does not display in an iframe the changes are supposed to be done on the Confluence side:

Resolution 1

Disable clickjacking protection from Confluence

  1. Shut down Confluence

  2. If you're running Linux:
    1. In <confluence_install>/bin/setenv.sh add the line:
      CATALINA_OPTS="-Dconfluence.clickjacking.protection.disable=true ${CATALINA_OPTS}"
  3. If you're running Windows from the .bat file:

    1. In <confluence_install>/bin/setenv.bat add the line:

      set CATALINA_OPTS=-Dconfluence.clickjacking.protection.disable=true %CATALINA_OPTS%
  4. If you're running Windows as a service:

    1. If you're starting Confluence as a service, then you'll need to add the following startup options to the Java tab in the service properties:

      -Dconfluence.clickjacking.protection.disable=true
  5. Restart Confluence

(info) See Configuring System Properties for more on setting System Properties.

The Page will now appear in the iframe.

Resolution 2

If the resolution 1 does not work then there is a possibility that in CONFLUENCE_INSTALL/conf/web.xml you have enabled HTTP Header Security Filter in Tomcat. 

  1. Shut down Confluence
  2. Open CONFLUENCE_INSTALL/conf/web.xml and find antiClickJackingOption
  3. Uncomment the parameter and change the value from DENY to SAMEORIGIN
  4. Restart Confluence

Please see Apache Tomcat 8 Configuration ReferenceHTTP Header Security Filter for more information on the parameters

Try the steps above and let me know the results.

Cheers,

Branden

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events