What is changing?
If you have an app which renders Dynamic Content Macros that have a rich-text bodyType, content created with the legacy Confluence editor (TinyMCE) can contain other macros within the macro body. If you use the Confluence Content body API to convert a macro body to HTML for rendering, and any nested macros are also Connect apps, then Connect will render a JavaScript snippet to bootstrap the nested Connect app’s macros. We have made a change to the way the nested bodied macros get bootstrapped which should not affect the functionality, yet will make the feature more secure. We are asking anyone who maintains macros with such functionality to keep an eye out for erroneous behavior and to let us know if you are affected by this change.
Why is it changing?
We are changing the initialization implementation to eliminate a security risk.
What do I need to do?
For most vendors, there is no action to take. If your app allows for nesting of bodied macros, please verify that this implementation change does not negatively affect current nested functionality and alert Atlassian if it does. Based on our testing, we do not expect it to and there should otherwise be no action to take.
By when do I need to do it?
November 16, 2020 : Changes will take effect in the Cloud Vendor First cohort of tenants. To enroll a Confluence tenant in this cohort, visit http://go.atlassian.com/cloud-vendor-first-confluence-form.
November 20, 2020 : Changes will take effect for all tenants. Note this is a shorter deprecation period due to security implications.