Content Security Policy Errors in Gitlab.com for Jira Cloud App
Summary
Customer is using the Gitlab.com for Jira Cloud App. Recently, the app started reporting an error due to Content Security Policy
:
HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
Refused to frame 'https://gitlab.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
Failed to load resource: the server responded with a status of 403 ()
Customer's Jira Cloud instance is at *.atlassian.net
domain. There is another open issue that is related (I#341770), but it seems to only apply to users at *.jira.com
domains.
Steps to reproduce
I haven't reproduced but I did find a couple of other reports - they were unresolved though.
Example Project
Zendesk ticket (internal link only)
What is the current bug behavior?
The Gitlab.com for Jira Cloud App is showing an error for content security policy, and will not display the customer's GitLab instance correctly.
What is the expected correct behavior?
THe Gitlab,.com for Jira Cloud App should be working as designed and should not be generating content security policy errors.
Relevant logs and/or screenshots
From Customer's browser inspector - console tab:
batch.js?locale=en-US:51
DEPRECATED JS - Cookie has been deprecated since 5.8.0 and will be removed in a future release. Use cookie instead.
at b.default (https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/30883d271637428855fffb82ffdd4bcc/_/download/contextbatch/js/jira.webresources:skate,jira.webresources:dialogs,jira.webresources:jira-global,jira.webresources:util-lite,jira.webresources:util,jira.webresources:feature-flags,com.atlassian.auiplugin:aui-spinner,jira.webresources:jira-events,-jira.heritage.critical/batch.js?locale=en-US:48:209)
k @ batch.js?locale=en-US:51
(anonymous) @ batch.js?locale=en-US:52
get @ batch.js?locale=en-US:54
b.default @ batch.js?locale=en-US:48
(anonymous) @ batch.js?locale=en-US:3495
(anonymous) @ batch.js?locale=en-US:3495
DevTools failed to load source map: Could not load content for https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/d45ca754a8f50a90547136d3ff046f95/_/download/contextbatch/css/jira.webresources:skate,jira.webresources:dialogs,jira.webresources:jira-global,jira.webresources:util-lite,jira.webresources:util,jira.webresources:feature-flags,com.atlassian.auiplugin:aui-spinner,jira.webresources:jira-events,-jira.heritage.critical/adg3-sidebar-layout-overrides-min.css... HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load source map: Could not load content for https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/6f6fb0782d6eef31610e223e7a39b533/_/download/contextbatch/css/com.atlassian.jira.jira-atlaskit-plugin:overrides-dialogs/adg3-dialog-overrides-min.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
batch.js?locale=en-US:51
DEPRECATED JS - Dropdown constructor has been deprecated and will be removed in a future release. Use Dropdown2 instead.
at HTMLDocument.<anonymous> (https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/30883d271637428855fffb82ffdd4bcc/_/download/contextbatch/js/jira.webresources:skate,jira.webresources:dialogs,jira.webresources:jira-global,jira.webresources:util-lite,jira.webresources:util,jira.webresources:feature-flags,com.atlassian.auiplugin:aui-spinner,jira.webresources:jira-events,-jira.heritage.critical/batch.js?locale=en-US:4229:201)
k @ batch.js?locale=en-US:51
(anonymous) @ batch.js?locale=en-US:52
(anonymous) @ batch.js?locale=en-US:53
i.bindConfigDashboardDds @ batch.js?locale=en-US:4226
(anonymous) @ batch.js?locale=en-US:4229
d @ batch.js:27
add @ batch.js:27
ready @ batch.js:27
init @ batch.js:27
s @ batch.js:27
(anonymous) @ batch.js?locale=en-US:4229
l @ batch.js:6
(anonymous) @ batch.js:6
setTimeout (async)
s @ batch.js:6
window.require @ batch.js:9
(anonymous) @ batch.js?locale=en-US:4229
batch.js?locale=en-US:238 Failed to run init function: TypeError: removeOldAnalytics is not a function
function() {
determineStorageKey();
setTimeout(bulkPublish, 500);
removeOldAnalytics();
}
batch.js?locale=en-US:40
AJS's create element functionality has been deprecated since 5.9.0.
No alternative will be provided.
Use document.createElement() or jQuery.parseHTML(), or preferably use a templating library.
a.default @ batch.js?locale=en-US:40
d @ batch.js:27
add @ batch.js:27
ready @ batch.js:27
init @ batch.js:27
s @ batch.js:27
h @ batch.js?jag=true&locale=en-US&sd_operational=true:8365
(anonymous) @ batch.js?jag=true&locale=en-US&sd_operational=true:8365
l @ batch.js:6
(anonymous) @ batch.js:6
setTimeout (async)
s @ batch.js:6
window.require @ batch.js:9
(anonymous) @ batch.js?jag=true&locale=en-US&sd_operational=true:8365
batch.js?locale=en-US:51
DEPRECATED JS - Inline dialog constructor has been deprecated and will be removed in a future release. Use inline dialog 2 instead.
at l (https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/5afb61b052c80124cebeda7092403a6b/_/download/contextbatch/js/jira.heritage.critical/batch.js:6:2054)
k @ batch.js?locale=en-US:51
(anonymous) @ batch.js?locale=en-US:52
(anonymous) @ batch.js?locale=en-US:53
(anonymous) @ batch.js?jag=true&locale=en-US&sd_operational=true:8529
l @ batch.js:6
u @ batch.js:6
l @ batch.js:6
(anonymous) @ batch.js:6
setTimeout (async)
s @ batch.js:6
window.require @ batch.js:9
(anonymous) @ batch.js?jag=true&locale=en-US&sd_operational=true:8598
DevTools failed to load source map: Could not load content for https://d11od6nl13tgep.cloudfront.net/atl-vertigo--shard-jira-prod-us-7--2--jres.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-CDN/-9zew5j/b/7/a52b69cfb8fd654f12551e3642a34234/_/download/contextbatch/css/jira.webresources:key-commands,jira.webresources:header,com.atlassian.administration.atlassian-admin-quicksearch-jira:admin-quicksearch-webresources,jira.webresources:global-static,com.atlassian.jira.plugins.jira-development-integration-plugin:repository-shortcuts-navigation-next,com.atlas... HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
Refused to frame 'https://gitlab.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
chromewebdata/:1
Failed to load resource: the server responded with a status of 403 ()
(index):2764
crbug/1173575, non-JS module files deprecated.
(anonymous) @ (index):2764
async-connect.8a8e6886241cbdc0acff.8.js:7
Add-on iframe timed out for add-on gitlab-jira-connect-gitlab.com
e.warn @ async-connect.8a8e6886241cbdc0acff.8.js:7
e.warn @ async-connect.8a8e6886241cbdc0acff.8.js:8
(anonymous) @ async-connect.8a8e6886241cbdc0acff.8.js:14
setTimeout (async)
startTimeoutDetectionProcessing @ async-connect.8a8e6886241cbdc0acff.8.js:13
(anonymous) @ async-connect.8a8e6886241cbdc0acff.8.js:15
n._createIFrameLifecycleManager @ async-connect.8a8e6886241cbdc0acff.8.js:16
n._initialise @ async-connect.8a8e6886241cbdc0acff.8.js:17
t.componentDidMount @ async-connect.8a8e6886241cbdc0acff.8.js:20
su @ vendor~1f20a385.9818050a3cf9d01df893.8.js:405
wl @ vendor~1f20a385.9818050a3cf9d01df893.8.js:423
e.unstable_runWithPriority @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:13
Ko @ vendor~1f20a385.9818050a3cf9d01df893.8.js:365
xl @ vendor~1f20a385.9818050a3cf9d01df893.8.js:419
ul @ vendor~1f20a385.9818050a3cf9d01df893.8.js:415
(anonymous) @ vendor~1f20a385.9818050a3cf9d01df893.8.js:366
e.unstable_runWithPriority @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:13
Ko @ vendor~1f20a385.9818050a3cf9d01df893.8.js:365
Jo @ vendor~1f20a385.9818050a3cf9d01df893.8.js:366
Xo @ vendor~1f20a385.9818050a3cf9d01df893.8.js:365
nl @ vendor~1f20a385.9818050a3cf9d01df893.8.js:412
enqueueSetState @ vendor~1f20a385.9818050a3cf9d01df893.8.js:369
x.setState @ vendor~1f20a385.9818050a3cf9d01df893.8.js:293
(anonymous) @ async-connect.8a8e6886241cbdc0acff.8.js:4
Promise.then (async)
loadHost @ async-connect.8a8e6886241cbdc0acff.8.js:4
componentDidMount @ async-connect.8a8e6886241cbdc0acff.8.js:4
su @ vendor~1f20a385.9818050a3cf9d01df893.8.js:405
wl @ vendor~1f20a385.9818050a3cf9d01df893.8.js:423
e.unstable_runWithPriority @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:13
Ko @ vendor~1f20a385.9818050a3cf9d01df893.8.js:365
xl @ vendor~1f20a385.9818050a3cf9d01df893.8.js:419
ul @ vendor~1f20a385.9818050a3cf9d01df893.8.js:415
(anonymous) @ vendor~1f20a385.9818050a3cf9d01df893.8.js:366
e.unstable_runWithPriority @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:13
Ko @ vendor~1f20a385.9818050a3cf9d01df893.8.js:365
Jo @ vendor~1f20a385.9818050a3cf9d01df893.8.js:366
V @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:12
E.port1.onmessage @ vendor~31ecd969.c7d5fd22e913caa601e7.8.js:11```
### Output of checks
<!-- If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com -->
#### Results of GitLab environment info
<!-- Input any relevant GitLab environment information if needed. -->
<details>
<summary>Expand for output related to GitLab environment info</summary>
<pre>
(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)
(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
</pre>
</details>
#### Results of GitLab application Check
<!-- Input any relevant GitLab application check information if needed. -->
<details>
<summary>Expand for output related to the GitLab application check</summary>
<pre>
(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:check SANITIZE=true`)
(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`)
(we will only investigate if the tests are passing)
</pre>
</details>
### Possible fixes
<!-- If you can, link to the line of code that might be responsible for the problem. -->
Edited by Michael Gibson