AP.Dialog doesn't provide JWT token on URL call

Hi folks!

As mentioned in security guidelines (https://developer.atlassian.com/cloud/confluence/cacheable-app-iframes-for-connect-apps/#token-query-string-hash), we check JWT QSH on each html page that can be rendered in an iframe. In case of invalid/missing JWT token, 401 http code.

However we have 401 on connect dialog url described in atlassian-connect.json (opened with AP.dialog (Dialog).

Checking the url, it looks JWT token is not provided in query param by Jira. Looking at the connect dialog module documentation (Dialog ), it’s written that if cacheable is true, not JWT token will be provided.

Tried to remove cacheable, still no JWT token.

Check with ecoscanner (https://developer.atlassian.com/platform/marketplace/ecoscanner/), iframes declared as dialog are not scanned…

Should I miss something that dialog iframe doesn’t need any JWT QSH validation ?

2 Likes