Hi folks!
As mentioned in security guidelines (Cacheable app iframes for Connect apps), we check JWT QSH on each html page that can be rendered in an iframe. In case of invalid/missing JWT token, 401 http code.
However we have 401 on connect dialog url described in atlassian-connect.json (opened with AP.dialog (https://developer.atlassian.com/cloud/jira/platform/jsapi/dialog/).
Checking the url, it looks JWT token is not provided in query param by Jira. Looking at the connect dialog module documentation (https://developer.atlassian.com/cloud/jira/platform/modules/dialog/ ), it’s written that if cacheable is true, not JWT token will be provided.
Tried to remove cacheable, still no JWT token.
Check with ecoscanner (https://developer.atlassian.com/platform/marketplace/ecoscanner/), iframes declared as dialog are not scanned…
Should I miss something that dialog iframe doesn’t need any JWT QSH validation ?