Action Required: Forge UI Kit <Image> component patch

Hi developer community,

We have just announced an important update to the Forge UI Kit component requiring developers update their apps to declare egress permissions.

The patch is being rolled out on the 30 June 2023. Please ensure your apps are compliant by this date.

If your Forge app utilises the component, you will need to make some changes to your manifest to declare egress permissions moving forward.

Any domains sourced in the src prop defined in from @forge/ui UI Kit will need to be explicitly declared as egress routes in your manifest.yml.

Upon declaring the egress domains you will need to redeploy the app. Customers will need to manually update your app to the latest release as this update will constitute a major version update

No action is required from you if you have already defined egress permissions for domains used as the src prop for <Image>

To help you get started. Here’s an example of declaring egress permissions in a manifest.yml file:

app:
  id: 'your-app-id'
  name: 'your-app-name'

permissions:
  external:
    images:
      - 'https://images.example.com/*'

modules:
  ...

For more detailed walkthrough visit the manifest reference page

Additionally, please have a look at the breaking change in Forge UI Kit’s <Image> Component changelog entry for more details.

How does this change align with Atlassian’s 6 month deprecation policy?

4 Likes

I’m afraid the deprecation period is effectively zero, insofar we’ve just filed an ECOHELPPUB incident, because images in our Compass app fail to display due to an egress permission error:

The error properly surfaces the root cause in the development environment:

In contrast, the production environment only shows the dummy SVG with a tooltip “Unable to display due to an image link issue.” (not visible in the screenshot):

image

Can you please roll back whatever feature flag has been toggled prematurely here?


PS: As you can see from the screenshot, it is not trivial for us to add those permissions, because we obviously do not want to grant access for all of S3 in eu-central-1 - we have a backlog item to migrate to a CloudFront distribution behind our existing custom domain for the app, which has ample benefits beyond the problem at hand, but changes like that cannot necessarily be addressed in a moments notice, which is why the Atlassian ecosystem contract stipulates an appropriate default deprecation period of 6 months.

3 Likes

Let me follow this up today, it appears that the feature was rolled out prematurely in this case.

I’ll get it sorted out ASAP and let you know once all sorted.

1 Like

Does this affect images (with external resources) declared in the manifest.yml?

modules:
  jira:customFieldType:
    - key: foo
      name: Foo
>    icon: https://external-stuff.net/icon.png   <

Furthermore, we are using SVG data URIs like this:
<Image src="data:image/svg+xml,%3Csvg..." />

This shouldn’t be a problem, right?

Thanks in advance!

1 Like

This shouldn’t affect applications where images are defined in the manifest file.

In terms of using a URI as the data source that should be acceptable.

1 Like

Due to some concerns regarding egress of data we have made the decision to speed up the timeline of the patch for <Image>. to 6 weeks from a 6 month window.

See the Forge deprecation policy here for more information. https://developer.atlassian.com/platform/forge/deprecation-policy/#forge-deprecation-policy

This issue was reported to Atlassian more than 1.5 years ago by multiple members of this community. What changed the criticality of this issue since then?

3 Likes

fyi this premature change was never rolled back. As of today I had to go through and add image permissions to the manifest file.

Also why is this change occurring at all? What’s the security issue?

The UI Kit was already a piece of junk and every month it gets rendered more useless by these sort of changes. eg I assume developers can no longer accept any user-entered image URLs unless they’re from a known hostname. That wipes out a decent chunk of app use-cases.

Hi Nathan, thanks for the feedback, may I ask what product you are experiencing this issue on? We’ll look into it.

The change here should not prevent those use cases, developers can define a wildcard egress in the app manifest if they choose to.

I’ve fixed it now, but any of our little AI apps in prod have been displaying broken images for who knows how long. eg: AI Macros+ for Confluence | Atlassian Marketplace

Forge lint throws the image egress permission. Versions I’m using:

  • forge/cli: 6.11.0
  • forge/api: 2.10.0
  • forge/ui: 1.6.0
  • forge/ui-confluence: 8.0.0

I’ve just now done more testing and seeing the exact same icons and messages as @sopel posted above.

So yeah this change is already deployed in dev and prod. And has been for weeks lol.

Wildcard egress works but this is the message users get when authorising which is a bit hyperbolic when it’s just allowing any image URL to be pasted:

Capture

I’ve double checked with the engineering team we have the feature flags for this patch turned off.

Let me know if you are still experiencing this. It shouldn’t be the case,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.