Hello, Forge developers!
As we’ve touched on in the past, security and trust are significant aspects of why we build Forge. We continue to aim to create a transparent platform between Atlassian, Partners, and our customers. One important aspect of this is what we call “informed consent”. We want customers to be aware of what information they are sharing, and not only that, where that information can go.
The first step towards this goal was in the initial design of Forge where we made the decision for API requests to authenticate via OAuth instead of session auth. We wanted apps to have access to everything they needed, but nothing more. That way, our customers knew what an app was capable of.
Our next step on this journey is what we are announcing today, Egress controls.
Egress controls allow customers to see more about how an app interacts with the internet, or in other words, how their data can leave the Atlassian cloud.
We are now allowing developers to declare egress permissions in their app manifests and we will begin enforcing this by blocking all un-declared domains on 14 July 2020. We recommend that you declare your domains today, to prevent any issues come the day of enforcement. An example of this in an app manifest looks like the following:
permissions:
external:
fetch:
client:
- 'www.google-analytics.com'
backend:
- '*.ingest.sentry.io'`
Read more in the reference docs.
If you have any questions or feedback, please leave a response in the thread. We’d love to hear from the community!
Cheers,
The Ecosystem Platform