When we launched Forge for in-house developers, we heard a lot of meaningful feedback from you, our developer community. In particular, you told us that Forge’s frontend needs:
- More flexibility & components
- A clear migration path for existing apps
- A smoother learning curve for developers unfamiliar with React
We heard you, and we listened. To respond to your feedback meaningfully, however, we had to look further than the UI kit (f.k.a. Forge UI). We’ve been hard at work since June on a complementary frontend offering: Custom UI .
You can dive in and play around with it right now, or read on to learn more about how it works, and how it fits with our existing frontend offerings.
What Custom UI does
When you use Custom UI, you statically define HTML, CSS, JS, and image files that are hosted and displayed inside existing Forge modules on our secure infrastructure. You get complete control over what framework (or lack of framework) you use, provided you give us a static bundle with an index.html file.
We’re excited to announce that Custom UI is live in all currently eligible Forge Jira modules, starting today, and we’ll be rolling out to Confluence and Editor in the coming days and weeks.
We’ve designed Custom UI to avoid three key classes of security vulnerabilities that we see in Connect:
- Like UI kit, we don’t send your app’s tokens or secrets to the frontend, so there’s less chance of token leakage leading to malicious control.
- We ensure a high level of trust for scripts running in your app, in an effort to make cross-site scripting—one of the largest categories of bugs we’ve seen in our bug bounty program—much more difficult.
- By default, apps can only egress data through the secure Forge FaaS platform. Custom UI apps can achieve this via our newly imagined Custom UI bridge.
(2) and (3) are implemented using a strict Content Security Policy, which means Custom UI apps will only display onbrowsers that Atlassian officially supports. This means that your apps will not be able to support cross-site scripts such as Google Analytics right now. We’re looking into how to best support these kinds of requirements, and to understand that we’d love to hear what functionality you need in the comments below or by direct message. For more details on how we keep Custom UI secure, check out our documentation.
How to choose between Custom UI, UI kit, and Connect
Custom UI is launching in GA preview at Developer Day on November 10 with full GA to follow very soon. This means that it’s ready for anyone—from in-house customizer to experienced Marketplace Partner—to start building on today, to get your apps ready in time for the Forge Marketplace launch in early 2021. You’ll also soon be able to start integrating Connect apps with Forge, meaning that you can start playing with Custom UI and hosted functions in your existing apps. Tune into Developer Day to learn more about adopting Forge with Connect apps.
If you’re starting a new app from scratch
You should start on Forge, which allows you to pick what UI extensibility option to use on a module-by-module basis across your app. If your module is relatively straightforward, start with UI kit, and work with Custom UI on more complex modules when you require extra functionality or customization. For more information on the differences between Custom UI and UI kit, check out our documentation.
If you have an existing static frontend on Connect (Cloud) or P2 (Server & Data Center)
To make your apps as secure as possible by taking advantage of the features listed above, we recommend you move your app’s frontend onto Forge. The Forge team has opened up many migration paths to make this as easy as possible—you can rebuild your app from scratch to be fully Forge-native, or adopt Forge with your Connect app module-by-module (currently in alpha; watch Developer Day for more).
You can migrate your static frontend directly onto Custom UI, or rebuild it in either Custom UI or UI kit, depending on your needs. If you choose to migrate your frontend, we recommend working on it incrementally, since parts of your app might have to change to work with the new security enhancements.
If your app needs to use a cross-site script (ex. Google Analytics)
We don’t currently support cross-site scripts in Custom UI, in order to start from a position of keeping our users secure. However, we do intend to have a solution for this, so try to build your app in Custom UI without cross-site scripts for now and tell us what scripts you still need to use. We’re keen to work with you to ship a great solution for these features.
If your app needs a dynamic frontend (ex. Server Side Rendering, PHP, ASP)
You should continue to build your app on Connect—but tell us about your needs! We’re really interested in learning about what kinds of apps require dynamic frontends, so if your app falls into this bucket, comment below or shoot us a direct message with your use case and we’ll look into how we can cover it on Forge.
Get started today
Tune into Developer Day on Nov 10 to learn more about all the stuff we’re announcing for Forge and the Ecosystem Platform, including Custom UI. Once you’re done, dive into Custom UI, and let us know what you think of it—the future of Custom UI will be shaped by our developers, for our developers, and your feedback will help us prioritize our roadmap to deliver you value sooner.
Forge on with your apps!