PDF attachments fail to load in Chrome on Jira Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When using Google Chrome, PDF attachments are blank when loaded in a new tab in Jira Data Center and sometimes can't be downloaded.

Environment

Jira Data Center 8.16 and later

Solution

Edit Content-Security-Policy headers on Jira

As we can't change Chrome, the only action we can take is to have Jira not set the Content-Security-Policy header to sandbox for attachments.

To accomplish this:

  1. Navigate to Administration > System > General configuration and select Advanced Settings

  2. In jira.security.csp.sandbox.excluded.content.type, add application/pdf

  3. Find the jira.security.csp.sandbox.included.content.disposition property

    • It should have the "attachment" value by default

  4. Delete the content of the field to leave it empty and select Update

  5. The PDFs will now load on Chrome when accessed directly

This workaround doesn't work when using Oracle DB, due to https://jira.atlassian.com/browse/JRASERVER-78521

Root cause

We identified that this problem happens starting in Jira 8.16, as explained in detail in Security headers in Jira:

"In Jira 8.16 and later, the following header is introduced for security purposes: Content-Security-Policy: sandbox.

The sandbox directive enables a sandbox for a requested resource that is similar to the <iframe> sandbox attribute. It applies restrictions to an object's actions including preventing pop-ups, executing plugins and scripts, and enforcing a same-origin policy.

By default, the sandbox policy is enabled and applied:

  • To all content types except for text/html, application/javascript, and text/javascript. These can’t be sandboxed.

  • When the content-disposition header is set to attachment."

Starting in Jira 8.16.0, when we reach out to Jira directly, (for example, accessing https://myjira.com/secure/attachment/10123/file.pdf directly), we just see a blank page instead of the PDF file contents. Other attachment types load as expected.

In this Chromium project discussion it seems that Chrome is more strict with PDF handling than with other attachments, because it uses an extension (even if embedded) to render it.

Therefore, when an application sends a PDF to Chrome with the Content-Security-Policy header set, it might not load the same way it does with other attachments.

This is not exclusive to Jira, as any application that behaves this way will have this result in Chrome.

Updated on June 25, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community