Forge Content Security Policy for scripts unsafe-inline not working

For my forge application, I need to allow unsafe-inline for scripts. However, the Content-Security-Policy generated is including a hash, so does not allow inline scripts to be executed.

Error from the browser console:

index.js:12 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://forge.cdn.prod.atlassian-dev.net 'unsafe-inline' 'sha256-lD5GlZIyY2huRMSRPdQ1B0C4+WrMbTDgZzvCFgpC5j8=' *".
Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

manifest.yml:

permissions:
  content:
    scripts:
      - unsafe-inline
    styles:
      - unsafe-inline

Entire content-security-policy for the page:

default-src 'self'; frame-ancestors 'self' *.atlassian.net bitbucket.org *.jira.com *.atlassian.com; frame-src 'self' *; font-src 'self' *; img-src 'self' data: blob: https://secure.gravatar.com https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net https://api.atlassian.com *; media-src 'self' data: blob: *; connect-src 'self'; script-src 'self' https://forge.cdn.prod.atlassian-dev.net 'unsafe-inline' 'sha256-lD5GlZIyY2huRMSRPdQ1B0C4+WrMbTDgZzvCFgpC5j8=' *; style-src 'self' 'unsafe-inline' *; form-action 'self'; sandbox allow-downloads allow-forms allow-modals allow-pointer-lock allow-same-origin allow-scripts; report-uri https://web-security-reports.services.atlassian.com/csp-report/forge-cdn

Note: adding the <meta> tags has no affect as the content-security-policy is being set by the iframe html response request headers

1 Like

@Atlassian-Staff any ideas?

Hi @GavinBunney,

Can you double-check that you have deployed and upgraded (install --upgrade) your installation?

What you have in your manifest looks correct.

Thanks Ryan. Yes I have. You can see from the generated content-security-policy header that gets generated my changes are in there (the unsafe-inline is there) but there is also the hash being included from the atlassian generated side of things:

script-src 'self' https://forge.cdn.prod.atlassian-dev.net 'unsafe-inline' 'sha256-lD5GlZIyY2huRMSRPdQ1B0C4+WrMbTDgZzvCFgpC5j8=' *

Styles works ok as it does not include that sha256-xxxx hash.

Sorry about that @GavinBunney, I think I understand what you were saying in your original post now.

I’ve created this ticket to solve the issue.

2 Likes