Iframe Usage in Forge Jira Custom UI's

Hi, is there any plan to introduce the ability to embed iframes pointing to external sites within Forge Custom UI’s? Currently, CSP blocks this functionality.

Hi Rick, we’d be interested in hearing your use case for this as allowing this would reduce some of Forge’s security goals

Thanks, nhur. A quick search of the existing marketplace for “embed” or “iframe” will surface dozens of existing apps that embed live prototyping tools, whiteboarding tools, spreadsheets, etc. All of these rely on iframes to source live versions of existing products outside of Jira. I don’t believe this is a fringe feature or request.

If CSP is required, then during the app approval process, a URL, or series of URL’s could be submitted for approval and added to the allowed domains list. Or, just as in when we use the .asUser method for Forge API calls, Jira could request that the user give permission to reach outside domains.

Hi @rick, thanks for bringing it up — my previous answer stating that it would reduce some of Forge’s security goals is incorrect for this use case of content injection (the primary goal would be to mitigate XSS).

We plan to add further customisability to the CSP to allow embedding iframes from external sites in the near future.

Thanks, @nhur. Is there a ticket I can follow so I can be alerted once it’s ready?

Hi @rick, I have made this https://ecosystem.atlassian.net/browse/FRGE-237 for tracking updates. We don’t have any concrete internal tickets yet as this work would be in a later milestone, so it may be a while.


It’s been a while but our team is actively working on this — I’ll keep updating the ticket as we go!


hi, do we have any iframe component on forge ui to render within custom ui.

I am getting the below error with html iframe tag

        <iframe src="https://www.youtube.com/"  width="450px"  height="450px"></iframe>

You need to use Custom UI to render iframe content https://developer.atlassian.com/platform/forge/custom-ui/

1 Like

Updating here too, this feature was released: New external permissions, authorize method, CLI improvements, and bug fixes