We are working on developing a new Forge app within our organisation and part of the functionality we are wanting to create is to embed an iframe with some custom content in it which is returned by a web trigger that we have defined inside of our forge app.
As part of this approach, we have had to define permissions like below inside the manifest.yml file in order to allow the Iframe to be returned and to allow the script tag to be run without it being blocked by Forge’s Content Security Policies.
What we wanted to ask is will the URLs change in future as these URLs do not feel like production urls?
If these URL’s are to change how will be able to be notified of this before they change so that we can make the relevant changes to our app to avoid any functionality breaking for customers?
The solution we have created is working and we are not after assistance with this.
What we are after clarifying is when a new webtrigger is set up in forge it has a URL that starts with the URL pattern shown below":
*.hello.atlassian-dev.net
The hell.atlassian-dev.net part of the URL does not seem like a production-ready URL so we are after confirming will these URL’s that web triggers are given when they are set up, change in future?
We do have the intention of making the produced web-trigger URL’s prettier and feel more production ready however this work has not yet been roadmapped. You can track the progress of this via this FRGE ticket.
When the URL template is updated, both existing and newly created web-trigger URL’s would be valid and work as expected meaning you should not have to update your manifest.yml with another egress domain unless your web-trigger URL is recreated. This way there should be no breaking changes introduced for developers.
Any changes that do occur, will be communicated via the Forge Platform Changelog to notify developers. In the event that there is a deprecation period, developers will be given a reasonable amount of time to migrate to the new URL format also to avoid breaking changes.
This is necessary for Web Triggers as if it was not specified, developers could egress data without users consent or knowledge with their app. If we were to allowlist all Web Trigger domains, this would weaken the CSP for all developers rather than just those who actually need it.