I get a blank VisualForce page with Fetch Endpoint in Jira 7.6 and above when clickjacking protection is enabled

Owned by
Jeff Gleeson
Last updated: Apr 19, 2023 by
Li Xuan Liew (Deactivated)
2 min read

Summary

In JIRA v7.6 and above, even after performing the workaround in this documentation, the Related JIRA issue Visualforce page (Fetch endpoint) still remains empty/blank. 

Environment

  • JIRA v7.6 and above

  • Salesforce & JIRA Server Connector v6.1.11

Diagnostics Steps

In the Developer console, you should be able to see the following error message while inspecting the page.

If you trying to copy the link into a new tab, the URL is working correctly. 

Cause

This issue is caused by the Jira clickjacking protection being enabled in your Jira. 

According to the Atlassian Jira 7.6.x Release Notes, Atlassian adds the X-Frame-Options and Content-Security-Policy security headers to each HTTP response, which causes this issue. 

In particular, please refer to the Better security with X-Frame-Options section.

Workaround

For standard Windows and Linux installations

According to the Atlassian JIRA Knowledge Base, we can either disable the feature by excluding specific paths OR passing a system property.

  • Excluding paths

    1. Go to your JIRA installation directory → Edit the setenv.sh (Linux) or setenv.bat (Windows) in the bin folder. → Find the section JVM_SUPPORT_RECOMMENDED_ARGS= and add the following line. 

      "-Dcom.atlassian.jira.clickjacking.protection.exclude=/plugins/servlet/customware/connector/issue/1/Case/fetch.action"

      • In the example line above, the system ID is "1". Please ensure that you have entered the correct system ID. You can locate your system ID in the Connections.

      • You will need to log in to Jira first in the same browser session for the Visualforce page to appear.

  • Disabling security headers

    1. Go to your JIRA installation directory → Edit the setenv.sh (Linux) or setenv.bat (Windows) in the bin folder. → Find the section JVM_SUPPORT_RECOMMENDED_ARGS= and add the following line.

       

      "-Dcom.atlassian.jira.clickjacking.protection.disabled=true"

Please do note that the clickjacking protection will re-enable after Jira upgrade.

For Jira installed as a Windows service

Follow Atlassian's instructions for setting properties for Windows services via command line.

 

Resolution

N/A