Forge app is not allowing base64 in front end app

sindhiyaselvaraj · March 24, 2025, 3:00pm

I have my image in s3. I am trying to fetch that via backend and send as base64 to front end. Forge app is the front end. But i am getting csp error. Below is my manifest.yaml

jira:globalPage:
    - key: xyz
      title: xyz - ${ENV_NAME}
      layout: blank
      security:
        csp:
          content: "img-src 'self' https://*.s3.amazonaws.com http://localhost:8000/ https://1343432.execute-api.us-east-1.amazonaws.com;
              frame-src 'self' http://54.226.172.125:8501/ http://localhost:8000/;
              connect-src 'self' https://1343432.execute-api.us-east-1.amazonaws.com;"
      resource: main
      resolver:
        endpoint: xyz-api-endpoint
      function: resolver
  endpoint:
    - key: xyz-endpoint
      remote: xyz

Could you please help

nmansilla · March 24, 2025, 3:57pm

Hi @sindhiyaselvaraj. To define external domains in your manifest that your Forge app can access, check out https://developer.atlassian.com/platform/forge/add-content-security-and-egress-controls/.

If you click on the “Update the manifest file” section, you’ll find an example.

Your manifest should have a permissions section that would look something like this:

permissions:
  content:
    styles:
      - 'unsafe-inline'
  external:
    images:
      - '*.s3.amazonaws.com'

andrei-pisklenov · April 3, 2025, 12:38pm

Here is a list of elements for which you can grant external egress permissions - use only the ones you truly need:

  external:
    images:
      - "*.example.com"
    scripts:
      - "*.example.com"
    styles:
      - "*.example.com"
    fonts:
      - "*.example.com"
    frames:
      - "*.example.com"
    media:
      - "*.example.com"
    fetch:
      backend:
        - "*.example.com"
      client:
        - "*.example.com"