Add allow-downloads to Forge Custom UI iframe sandbox attributes

Hi there,

I’m currently working on a Jira AdminPage app which gathers audit relevant data and creates reports of it on demand (in the form of a csv file).
Unfortunately downloading the created file currently not possible due to the ‘allow-downloads’ sandbox attribute not being set on the iframe.
Is there a specific reason why this is allowed in Connect Apps (Change notice: Sandboxing of Connect App iframes) and not in Forge?

Are there any plans to support my use case in Forge?
Thanks in advance!

2 Likes

One solution to implement this at the moment is opening an url where the user can download the content. Maybe you can convert the content to base64 and attach it to an url as a query param. You can trigger the browser download from there then (https://example-base64-mirror.com/?base64=foo). But you may hit some url length limits with this approach in some browsers depending on file size.

Looks shaky to me. Atlassian should allow us to trigger downloads directly. As long as allow-downloads is not set, developers have to build unsafe ways to make sensitive files accessible. I think this can be avoided.

Edit: Another workaround that could work: Upload the file as an attachment to an issue or page and use this download link. Should work. Is ugly though.

Cheers

2 Likes

Thanks for suggesting those workarounds! But this is indeed not a good way to handle sensitive user data.
I might have to go with the the option to upload to a Confluence page, but this is not ideal and seems really “hacky” to corporate customers.
It would be great to get a statement from Atlassian on how they want to handle this legitimate use case moving forward with forge.

1 Like