iFrame issue: How to we embed our widget in an iFrame and display on the JSM page?

Customer has embedded a widget in an iframe within a custom UI Forge application, but it seems that Atlassian has blocked the ability to open any links from within the iframe, resulting in the following error in the console:

Blocked opening ‘<www.w3schools.com>’ in a new window because the request was made in a sandboxed frame whose ‘allow-popups’ permission is not set.

Customer came across a document that suggests the permissions cannot be updated. Can you please assistus with this issue? It’s currently blocking the customer’s progress.
Doc - https://developer.atlassian.com/platform/forge/custom-ui/iframe/

You need to use router.navigate method on the Custom UI Bridge

Hi Adam,
As you may be aware, Custom UI apps in Atlassian are typically run within an iframe, and in our case, we have just embedded a widget within a Forge app using an iframe. However, we have encountered an issue where the widget is unable to open any links within it and as far as I know Forge has applied some Sandbox restrictions in an iframe - https://developer.atlassian.com/platform/forge/custom-ui/iframe/ .

Yes, Forge deliberately applies security restrictions to the iframe so you need to use the Custom UI Bridge to perform actions like refreshing the browser or navigating to a new page.

Did you try something like:

import { router } from '@forge/bridge';


Thanks, Adam. This solution is applicable if the application is purely developed using Forge. However, in our case, we have added our app widget inside an iframe in the Forge app. Therefore, Custom UI apps are run within an iframe, and inside this iframe, we have added another iframe and I added
www.w3schools.com just for reference, this is the error I am facing and the links are dynamic.

Blocked opening 'https://testchat.atlassian.net/servicedesk/customer/portal/25/AG-4' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.

Right, sorry, so you’re actually trying to load a remote iframe within your Custom UI app.

Forge’s security policies won’t allow that. We don’t support remote iframes.

Thank you for confirming. In this case, the only feasible solution would be to utilize a Connect app instead of Forge.

Hi @ChiragBaid , just to add further clarification, all links in custom UI can only be opened or navigated to via the router api. This is for security purposes. If you’re trying to navigate in an iframe inside of your custom UI app, you’ll need to find a workaround in passing in the router api as a callback into the iframe itself and modify the source code within that iframe to call router.navigate/router.open. All child iframes are subjected to the same restrictions as their parent iframe.

Hi @QuocLieu and @AdamMoore , else I can use Connect app because there seems to no such restrictions in Connect.

I checked and found that you provide a refresh token with an expiry of 90 days when the ‘offline_access’ scope is set in the authorization flow. However, the access token has an expiry of 1 hour. So, if the access token expires, the only way to obtain a new access token is to use the ‘refresh_token’ grant and pass existing refresh token to get new access and refresh tokens. But this process will invalidate the previous passed refresh token.

how can we avoid this issue by continuously using the same refresh token to get new access tokens continuously.