Deprecation notice: Loading Connect stylesheets from CDN instead of inline

Hi developer community, we just announced the deprecation of Atlassian Connect JS loading stylesheets via inline styles, to loading them from the same Connect CDN that all.js is loaded from.

To clarify, this change affects how Atlassian code loads styles internally, and does not prevent your app from using inline styles. However, this will affect your app if you are utilising a Content Security Policy.

This affects the Theming API, and dynamic content macros that supported the legacy Confluence editor.

At the end of the deprecation period (November 18, 2024), we will stop injecting any inline styles and only load from the CDN. If you haven’t allowed loading the styles from the CDN by this point, then theming will no longer work correctly in your app.

If your app doesn’t use the above Connect features, or does not use a Content Security Policy for style-src, no action is required.

Otherwise, please keep reading, or check out Security requirements for cloud apps for details on how to modify your CSP to support these changes.

Action required

To support these changes in your app, if you’re using a Content Security Policy that sets the style-src policy, you must add the Connect CDN (https://connect-cdn.atl-paas.net) to your policy to allow these stylesheets to be injected.

This change means you will no longer be required to use unsafe-inline, and so it’s safe to remove this from your policy if you’ve been relying on it up until now.

Additional context

The stylesheets mentioned here are included automatically via the Connect JS script, not manually by the app vendor. There are two circumstances under which Connect injects stylesheets into your app.

The first is only for apps which opted in to the Theming API. The theme stylesheets currently load via an inline stylesheet, which forces vendors to adopt the insecure unsafe-inline policy, and is the main motivation for this change.

The second location is only for dynamic content macros. We inject a stylesheet with CSS classes representing colors from the legacy Confluence editor. This happens without opt-in, to be backwards-compatible with macros created in the legacy editor. This injection is currently done via CSSOM, not inline styles, and therefore isn’t impacted by style-src CSP rules currently. However it’ll also start being served from the CDN at the end of the deprecation period.

During the deprecation period, styles will be loaded simultaneously via the current methods described above and from the CDN. After the deprecation period, styles will only be loaded from the CDN, and the inline/CSSOM methods will be removed.

4 Likes