Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What is the url to create a new defect against JIRA

Subhajit Bhuiya
Subhajit Bhuiya July 9, 2018

I want to create a new defect against JIRA. How can I do that or what the the url for it. This is the defect

 

In https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html, it is written how to exclude the security header using com.atlassian.jira.clickjacking.protection.exclude. But com.atlassian.jira.clickjacking.protection.exclude does not support regular expression. Like if I update setenv.bat with 

-Dcom.atlassian.jira.clickjacking.protection.exclude=/plugins/servlet/oslcservices/adminlogin,/plugins/servlet/oslcservices/oauth/approvekey,/plugins/servlet/oslcservices/userlogin,/plugins/servlet/oslcservices/oauth/authorize

 

itworks. But if I change it to

-Dcom.atlassian.jira.clickjacking.protection.exclude=/*/oslcservices/*

 

It does not work. So, this solution works for static url. But there are few urls which are dynamic because they will have project area id or issue id. Having support for regular expression or giving a way to support dynamic url is very much required.

 

Answer
Watch
Like Be the first to like this
646 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 9, 2018

Hey Subhajit,

We do have some known cases where characters need to be escaped or quoted when being passed in as arguments. See our documentation for examples of other arguments needing quotes.

If quoting the string doesn't work, let me know and we'll go from there.

Cheers,
Daniel

View More Comments
Subhajit Bhuiya
Subhajit Bhuiya July 10, 2018

@Daniel Eads I have used quotes, but it does not work.

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 10, 2018

Another route you could take is to disable clickjacking protection entirely using the following flag instead:

-Dcom.atlassian.jira.clickjacking.protection.disabled=true

Using this flag on a production system is an extremely bad idea™ but an option you could take during development if you need it.

I'm not sure what your use-case is for development but just want to advise you that having clickjacking excluded/disabled is not something you should count on if you're planning to distribute a plugin. If it's just to help development of some other function on your local system and your plugin doesn't rely on it, then carry on.

Like
Subhajit Bhuiya
Subhajit Bhuiya July 10, 2018

@Daniel Eads that is what I am doing now. As you mentioned, we need -Dcom.atlassian.jira.clickjacking.protection.exclude working for dynamic urls

Like
Subhajit Bhuiya
Subhajit Bhuiya August 9, 2018

@Daniel Eads Have you create a defect or enhancement in JIRA to support dynamic url for the property -Dcom.atlassian.jira.clickjacking.protection.exclude. It is very much require for us.

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 9, 2018

Hi Subhajit,

My best advice is to create a Feature Request in the JRASERVER project hereFor more information about how Atlassian prioritizes feature requests made on jira.atlassian.com, check out this Community post.

Looking at some other questions you've asked it looks like you're developing a plugin. I just want to remind you that it's not reasonable to expect other folks to add a startup flag on their own servers if you are planning to distribute your plugin. Keeping this in mind, you may want to include details in your feature request about whitelisting URLs from clickjacking somehow in the interface so that your plugin can make the whitelist without additional user interaction.

Cheers,
Daniel

Like
Paul Tasillo
Paul Tasillo August 9, 2018

@Eaniel DeadsSubhajit and I are working on a JIRA plugin which uses the current support. This customer dosn't want to go into production with the clickjacking setting disabled. What we need is a defect or enhancement to track the issue mentioned below so that the customer can comment on it.

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 9, 2018

Thanks for the info @Paul Tasillo! Go ahead and use the link I provided to open a JRASERVER feature request. The customer should be able to comment on the feature request you open on jira.atlassian.com.

Like
Paul Tasillo
Paul Tasillo August 9, 2018

Thanks. BTW totally agree that requiring properties to be set AND a server restart is not the best customer experience.

Like
Paul Tasillo
Paul Tasillo August 9, 2018

@Daniel Eadshit a snag. we're both getting permission issues when trying to submit the issue. doesn't have the 'Assign Issues' permission.

 

Any work around or process for requesting this permission?

 

Thanks

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 9, 2018

Hey @Paul Tasillo - sorry about using the wrong issue type! You'll need to open a Suggestion (not feature request as I accidentally posted).

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events