Commenting on or transitioning issues in Jira Data Center using Firefox or Safari fails due to modified Referrer-Policy
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Modifying Jira's default Referrer-Policy can break Jira functionality for users using Firefox or Safari, including the ability to comment on or transition issues.
Other features like creating Issues and browsing dashboard gadgets may be impacted as well.
Environment
Jira >= 8.4.0, due to the introduction of Cross Site Request Forgery (CSRF) protection changes in Atlassian REST
Firefox >= 69
Safari >= 14.0
Diagnosis
A variety of Jira functionality fails to work properly in Firefox and Safari. For example, clicking inside the Add Comment rich text editor does not bring up a text editing cursor, and workflow transition buttons cause Jira's web interface to become unresponsive. Meanwhile, Chrome continues to work normally.
Entries similar to the following appear in the Jira logs:
1
2022-11-02 00:00:00,000+0000 https-openssl-nio-8443-exec-52 WARN username 1234x567890x2 sessionid 1.2.3.4 /rest/wrm/2.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://jira.domain.local/rest/wrm/2.0/resources , origin: null , referrer: null , credentials in request: true , allowed via CORS: falseIf we Generating HAR files and analyzing web requests and inspect it, we can see that requests to Jira are returning XSRF errors:
HTTP Request
1
2
3
4
5
6
7
Request URL:BASEURL/rest/wrm/2.0/resources
Request Method:POST
Status Code:403
Remote Address:xxx.x.x.x.x.xHTTP Response
1
XSRF check failedCause
Firefox/Safari and Chrome behave differently when Referrer-Policy is set to no-referrer.
All three browsers stop sending Referer request headers as a result, but Firefox and Safari also set their Origin request headers to null:
Since Jira's enhanced XSRF protection requires either a trusted Origin or Referer, the result is that API calls from the Jira web interface in Firefox and Safari fail XSRF checks and receive HTTP 403 Forbidden responses, breaking functionality. Chrome is unaffected because it continues to send its Origin header as normal.
The most common way to set a custom Referrer-Policy is using a HTTP response header:
However, it is also possible to set a custom Referrer-Policy using HTML, using the <meta> tag or the referrerpolicy attribute.
Solution
Referrer-Policy is not currently configurable in Jira, so any modifications to it must be caused by something outside Jira. In most cases this will be an upstream reverse proxy modifying the HTTP response headers, but it can also be due to HTML customisations.
To resolve this issue, locate the source of the custom Referrer-Policy and reconfigure it so that it does not modify Jira's default Referrer-Policy.
On nginx, for example, this directive will cause the above issue with Firefox and Safari browsers:
1
add_header Referrer-Policy "no-referrer" always;Commenting that line out will allow Firefox and Safari to resume working.
Was this helpful?