Avatars not rendering correctly (edge case) - Missing img-src CSP entry on Atlassian side?

bjornbrynjar · August 17, 2021, 6:33pm

Hi there,

I am using Forge and “@atlaskit/avatar”: “^20.3.3” which in general works fine since here: Use Attachment Images in Custom UI - #11 by bjornbrynjar

I just noticed an edge case when it doesn’t work. This happens when users haven’t selected an avatar image. In these cases Jira renders user’s Avatars like this:

Screenshot 2021-08-17 at 18.05.04

However even though I use:

<Avatar
    appearance="circle"
    alt={initials}
    {...props} />

Where initials = “AC”

It renders as follows in my app:

The problem seems to be a “Content Security Policy” problem:

Because when opening the url given:
https://i1.wp.com/avatar-management–avatars.us-west-2.prod.public.atl-paas.net/initials/AC-6.png?ssl=1

I find the missing avatar image my app can’t render:

So it seems the https//i1.wp.com/ url needs to be whitelisted in the same way ‘http://gravatar.com/’ was added to the img-src part of the CSP on the atlassian side - for this to work.

@danielwinterw is this a similar case we encountered here before?

kchan · August 25, 2021, 11:48pm

Hey @bjornbrynjar, sorry for the delayed response!

This seems like an issue we need to fix. I’ll have a look into it and get back to you soon.

kchan · August 26, 2021, 12:28am

Hey @bjornbrynjar, I’m trying to work out where the i1.wp.com URL comes from but I can’t seem to find in the Atlaskit Avatar code where that would come from. Does it get passed through in the ...props part of your code perhaps?

If so, where did you get it from?

paul · August 26, 2021, 2:03am

My Forge app also accesses that. I added in my manifest permissions

permissions:
  external:
    images:
      - '*.gravatar.com'
      - '*.wp.com'
      - '*.atl-paas.net'
      - '*.atlassian.com'

and CSP to get around the problem

    <meta http-equiv="Content-Security-Policy" content="img-src 'self' data: blob: https://secure.gravatar.com https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://api.atlassian.com https://i2.wp.com https://forge.cdn.prod.atlassian-dev.net"/>

bjornbrynjar · August 26, 2021, 9:41am

Hi there @kchan

No I am not passing this url through the ‘…props’.

It seems the Avatar component is calling this url indirectly through Jetpack image CDN:

More info on this can be found here:

Cheers
Björn Brynjar

bjornbrynjar · December 8, 2022, 3:37pm

Hi there,

I noticed this problem still exists. Here is how the Avatar looks in our app when the user has not added a profile image:

Screenshot 2022-12-08 at 15.02.32

While on the same screen, Jira renders these avatars in the following way, defaulting to an auto-generated image, based on the user’s initials:

Notice the image URL is exactly the same, however the problem is the following Content Security Policy error as can be seen in the Browser console:

What is worse is that in Safari browsers the Avatar isn’t displayed at all when this happens, only the tooltip shows on mouse-over:
Screenshot 2022-12-08 at 15.17.35

I am considering @pauls workaround but it doesn’t make sense opening up access to all images on these servers.

Because the purpose of CSP is to restrict access to only what is needed by the app and I don’t want users to have to accept “exchanging data” with all of the following services when going through the “Allow access” - prompt.

@danielwinterw or @kchan can you look into this?
This is similar to this issue resolved previously and it seems the solution is to whitelist all URLs necessary, so the ‘@atlaskit/avatar’ component works as expected for all Forge apps - rather than adding these URLs to every app manifest’?

bjornbrynjar · December 13, 2022, 6:21pm

@rwhitbeck can you follow up on this?

From a security perspective, I think it doesn’t make sense to add the following URLs to every Forge app manifest using “@atlaskit/avatar” package, as it seems to be the only solution currently available:

permissions:
  external:
    images:
     - atl-paas.net
     - atlassian.com
     - gravatar.com
     - wp.com

Thanks!

marc · February 3, 2023, 9:12pm

@kchan The usage of gravatar and e.g. wp.com is documented here: IP addresses and domains for Atlassian cloud products | Atlassian Support

This is a feature of the Atlassian platform.