Refused to frame '' because it violates the following Content Security Policy directive

Tommy picture Tommy · Mar 11, 2020 · Viewed 11.9k times · Source

We use the Confluence Companion tool to edit files from Confluence locally ( https://confluence.atlassian.com/doc/edit-files-170494553.html ) but since the last update of that tool, it is no longer working. I found out that it is because of the CSP directive that we've set in NGINX, but no matter the changes i make; nothing works.

Original CSP directive:

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

Result: Refused to frame '' because it violates the following Content Security Policy directive: "default-src https: wss: blob: goedit:". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

So i figured, let's add frame-src;

add_header Content-Security-Policy "default-src https: wss: blob: goedit: 'unsafe-inline' 'unsafe-eval'; connect-src https://*.atlassian.com 'self' ws:; frame-src 'self'; img-src blob: https: data: 'unsafe-inline' *; font-src https: data:" always;

But now it reports;

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src 'self'".

Kinda lost here, in the first place why it loads .... nothing? Just '', i'd expect a website there or something, but no matter the changes i make to frame-src, it keeps complaining.

What i tried:

frame-src 'self';
frame-src '*';
frame-src '';
frame-src 'self' data:;
frame-src '*.mydomain.com';
frame-src 'none';

Even tried to allow all frames via X-FRAME-OPTIONS as well as adding frame-ancestors and combining all of the above in various ways, but the result is the same.

Help is very much appriciated.

Thanks!

Answer

Alex Knight picture Alex Knight · Mar 12, 2020

Confluence 7.3+ launches Companion with a custom protocol prefixed with atlassian-companion:. This is constructed using a hidden iframe to prevent the page from redirecting.

Therefore, to resolve this issue, please add atlassian-companion: to your default-src or frame-src exclusions in your Content Security Policy. For example: frame-src atlassian-companion:;.