I’m afraid the deprecation period is effectively zero, insofar we’ve just filed an ECOHELPPUB incident, because images in our Compass app fail to display due to an egress permission error:
In contrast, the production environment only shows the dummy SVG with a tooltip “Unable to display due to an image link issue.” (not visible in the screenshot):
Can you please roll back whatever feature flag has been toggled prematurely here?
PS: As you can see from the screenshot, it is not trivial for us to add those permissions, because we obviously do not want to grant access for all of S3 in eu-central-1 - we have a backlog item to migrate to a CloudFront distribution behind our existing custom domain for the app, which has ample benefits beyond the problem at hand, but changes like that cannot necessarily be addressed in a moments notice, which is why the Atlassian ecosystem contract stipulates an appropriate default deprecation period of 6 months.
Due to some concerns regarding egress of data we have made the decision to speed up the timeline of the patch for <Image>. to 6 weeks from a 6 month window.
This issue was reported to Atlassian more than 1.5 years ago by multiple members of this community. What changed the criticality of this issue since then?
fyi this premature change was never rolled back. As of today I had to go through and add image permissions to the manifest file.
Also why is this change occurring at all? What’s the security issue?
The UI Kit was already a piece of junk and every month it gets rendered more useless by these sort of changes. eg I assume developers can no longer accept any user-entered image URLs unless they’re from a known hostname. That wipes out a decent chunk of app use-cases.
Forge lint throws the image egress permission. Versions I’m using:
forge/cli: 6.11.0
forge/api: 2.10.0
forge/ui: 1.6.0
forge/ui-confluence: 8.0.0
I’ve just now done more testing and seeing the exact same icons and messages as @sopel posted above.
So yeah this change is already deployed in dev and prod. And has been for weeks lol.
Wildcard egress works but this is the message users get when authorising which is a bit hyperbolic when it’s just allowing any image URL to be pasted: