I want to create a new defect against JIRA. How can I do that or what the the url for it. This is the defect
In https://confluence.atlassian.com/jirakb/security-headers-in-jira-939919914.html, it is written how to exclude the security header using com.atlassian.jira.clickjacking.protection.exclude. But com.atlassian.jira.clickjacking.protection.exclude does not support regular expression. Like if I update setenv.bat with
-Dcom.atlassian.jira.clickjacking.protection.exclude=/plugins/servlet/oslcservices/adminlogin,/plugins/servlet/oslcservices/oauth/approvekey,/plugins/servlet/oslcservices/userlogin,/plugins/servlet/oslcservices/oauth/authorize
itworks. But if I change it to
-Dcom.atlassian.jira.clickjacking.protection.exclude=/*/oslcservices/*
It does not work. So, this solution works for static url. But there are few urls which are dynamic because they will have project area id or issue id. Having support for regular expression or giving a way to support dynamic url is very much required.
Hey Subhajit,
We do have some known cases where characters need to be escaped or quoted when being passed in as arguments. See our documentation for examples of other arguments needing quotes.
If quoting the string doesn't work, let me know and we'll go from there.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Another route you could take is to disable clickjacking protection entirely using the following flag instead:
-Dcom.atlassian.jira.clickjacking.protection.disabled=true
Using this flag on a production system is an extremely bad idea™ but an option you could take during development if you need it.
I'm not sure what your use-case is for development but just want to advise you that having clickjacking excluded/disabled is not something you should count on if you're planning to distribute a plugin. If it's just to help development of some other function on your local system and your plugin doesn't rely on it, then carry on.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Daniel Eads that is what I am doing now. As you mentioned, we need -Dcom.atlassian.jira.clickjacking.protection.exclude working for dynamic urls
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Daniel Eads Have you create a defect or enhancement in JIRA to support dynamic url for the property -Dcom.atlassian.jira.clickjacking.protection.exclude. It is very much require for us.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Subhajit,
My best advice is to create a Feature Request in the JRASERVER project here. For more information about how Atlassian prioritizes feature requests made on jira.atlassian.com, check out this Community post.
Looking at some other questions you've asked it looks like you're developing a plugin. I just want to remind you that it's not reasonable to expect other folks to add a startup flag on their own servers if you are planning to distribute your plugin. Keeping this in mind, you may want to include details in your feature request about whitelisting URLs from clickjacking somehow in the interface so that your plugin can make the whitelist without additional user interaction.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Eaniel DeadsSubhajit and I are working on a JIRA plugin which uses the current support. This customer dosn't want to go into production with the clickjacking setting disabled. What we need is a defect or enhancement to track the issue mentioned below so that the customer can comment on it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the info @Paul Tasillo! Go ahead and use the link I provided to open a JRASERVER feature request. The customer should be able to comment on the feature request you open on jira.atlassian.com.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks. BTW totally agree that requiring properties to be set AND a server restart is not the best customer experience.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Daniel Eadshit a snag. we're both getting permission issues when trying to submit the issue. doesn't have the 'Assign Issues' permission.
Any work around or process for requesting this permission?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @Paul Tasillo - sorry about using the wrong issue type! You'll need to open a Suggestion (not feature request as I accidentally posted).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.