In the Requirements for Connect Cloud Apps adding a Content Security Policy (CSP) is required.
Using ‘unsafe-inline’ and ‘unsafe-eval’ for scripts is forbidden.
However, when appling this policy to a Bitbucket Connect app, the connect library itself uses a JavaScipt eval! Therefore requiring a ‘unsafe-eval’ in the Content Security Policy!
Is there a way to prevent this eval? Is this a oversight on Atlassian Bitbucket side? Or are the CSP rules different for Bitbucket Cloud?
We were already notified of this limitation from Bitbucket Connect’s all.js library. We have reached out to the Bitbucket team internally for a resolution and will get back if we find a workaround since it requires setting
unsafe-eval directive. However, the current
Hi @SrivathsavGandrathi ,
How is a vendor supposed to handle this issue? With the new security requirements, does a vendor need to ask for an exemption?
Hi @marc ,
The requirement is to set Content Security Policy header, instructions on directives are not a hard requirement but a strong recommendation as we understand that there is no one size fits all CSP policy that we can enforce. In Bitbucket Connect case,
unsafe eval recommendation seems to be currently not practicable due to
eval usage. No exemption requests are required.