I’ve noticed that Forge’s permission screen gets external permissions wrong?!.
The app has this permission descriptor:
permissions: scopes: - 'read:confluence-user' - 'storage:app' content: styles: - 'unsafe-inline' scripts: - 'unsafe-inline' external: fetch: backend: - '*'
However, on the permission screen, I get this set of permissions asked:
It says 0 external sites. Zero! The pure opposite on what the app actually does.
Am I understanding the permission screen wrong?
Update: I’ve created a bug [FRGE-816] - Ecosystem Jira.
Unless I’m missing something, this is imo quite a bad
security bug. Because the app has more permissions that a customers things it has.