I’m in the process of converting an app that was being developed for Connect to Forge. The frontend is implemented in Angular. So far progress has been slow because I’ve been running into a number of issues, mostly related to CSP.
The first issue I’m having is loading fonts that are embedded as base64 strings inside the application. From searching the forum I can see that this is an issue that has existed in Forge for a number of years but so far there seems to be no indication from Atlassian that they’re going to stop blocking the loading of base64 fonts. Why? I found a post by another user on the forum where he has come up with his own workaround that I intend try, however, it would be a whole lot easier if Atlassian would allow loading of base64 fonts or provide a reason why they think this needs to be blocked by their CSP.
The second issue I’m having is that my app won’t load at all if I don’t add 'unsafe-inline' to both the scripts and styles permission sections of my manifest file. Angular has built in support for handling CSP so you don’t need to use 'unsafe-inline' but it requires that the server generates a random nonce for each request and setting the nonce in an HTTP header that then gets used by the Angular frontend. This is all documented in the Content security policy section of Angular’s security best practices documentation. Because the static files for my frontend are hosted by Atlassian and I have no way of generating a nonce on the server when my static files are loaded and Forge doesn’t generate a nonce, then I have no choice but to use 'unsafe-inline' just for my app to load. This gives the impression that I’m doing bad things in my app when in reality I’m just trying to workaround limitations in Forge. Very frustrating. Has Atlassian tested CustomUI on Forge with any frontend frameworks other than React?
Those are the two biggest headaches I’m facing right now. I’m sure I’ll find more as I get further into my migration. If anyone reading this has had success with a CustomUI Angular app in Forge, I would appreciate any feedback or tips you can offer.
Thanks.