We use the Confluence Companion tool to edit files from Confluence locally ( https://confluence.atlassian.com/doc/edit-files-170494553.html ) but since the last update of that tool, it is no longer working. I found out that it is because of the CSP directive that we've set in NGINX, but no matter the changes i make; nothing works.
Original CSP directive:
add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;
Result:
Refused to frame '' because it violates the following Content Security Policy directive: "default-src https: wss: blob: goedit:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
So i figured, let's add frame-src;
add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; frame-src 'self'; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;
But now it reports;
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self'".
Kinda lost here, in the first place why it loads .... nothing? Just '', i'd expect a website there or something, but no matter the changes i make to frame-src, it keeps complaining.
What i tried:
frame-src 'self';
frame-src '*';
frame-src '';
frame-src 'self' data:;
frame-src '*.mydomain.com';
frame-src 'none';
Even tried to allow all frames via X-FRAME-OPTIONS as well as adding frame-ancestors and combining all of the above in various ways, but the result is the same.
Help is very much appriciated.
Thanks!
Confluence 7.3+ launches Companion with a custom protocol prefixed with atlassian-companion:
. This is constructed using a hidden iframe to prevent the page from redirecting.
Therefore, to resolve this issue, please add atlassian-companion:
to your default-src
or frame-src
exclusions in your Content Security Policy. For example: frame-src atlassian-companion:;
.