Content Security Policy Violation Warning in AGC Environment

Forge Adopting Forge from Connect
1

Hello everyone,

I’m currently developing an app for AGC/FedRAMP compliance and have successfully followed the best practices outlined in the Adopt Forge from Connect on AGC guide. We’ve completed the AGC onboarding process, and the app is functioning correctly on our test instance.

However, our QA team has noticed the following Content Security Policy (CSP) warning in the browser console:

Framing '<URL>' violates the following report-only Content Security Policy directive: 
"default-src 'self' *.atlassian-us-gov-mod.com *.atlassian-us-gov-mod.net *.cdn.prod.atlassian-dev-us-gov-mod.net". 
The violation has been logged, but no further action has been taken. 
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

jira-frontend-bifrost.frontend.cdn.atlassian-us-gov-mod.com/:1 
Framing 'https://bas20-staging.balsamiqstaff.com/' violates the following report-only Content Security Policy directive: 
"default-src 'self' *.atlassian-us-gov-mod.com *.atlassian-us-gov-mod.net *.cdn.prod.atlassian-dev-us-gov-mod.net". 
The violation has been logged, but no further action has been taken. 
Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Important note: The console also shows many similar CSP violations that appear to be related to Atlassian’s own code, not our app. For example:

Loading the font '<URL>' violates the following Content Security Policy directive: 
"font-src data: 'self' *.atlassian-us-gov-mod.com *.atlassian-us-gov-mod.net". 
The policy is report-only, so the violation has been logged but no further action has been taken.

TG-3:45 Loading the font 'https://ds-cdn.prod-east.frontend.public.atl-paas.net/assets/fonts/atlassian-sans/v3/AtlassianSans-latin.woff2' 
violates the following Content Security Policy directive: 
"font-src data: 'self' *.atlassian-us-gov-mod.com *.atlassian-us-gov-mod.net". 
The policy is report-only, so the violation has been logged but no further action has been taken.

My questions:

  1. Since this is a “report-only” CSP violation and the app is working without any functional issues, should I be concerned about this for FedRAMP/AGC compliance?

  2. Will this warning become an actual blocking error when the app moves to production in the AGC environment?

  3. Given that similar CSP violations are appearing for Atlassian’s own resources (fonts, etc.), is this a known issue in the AGC test environment, or is there any action I need to take on my end?

Any guidance from the community or Atlassian team would be greatly appreciated!

Thank you!

1 Like