Loading Connect stylesheets from CDN instead of inline

ShreyaBilloreDecadis · October 22, 2024, 10:51am

Hello,

I’m reaching out regarding the deprecation of the Jira Connect app and its implications for Content Security Policy (CSP) management. We understand that to load inline styles from Atlassian, we need to remove 'unsafe-inline' and add https://connect-cdn.atl-paas.net to both script-src and style-src.

However, our app also relies on 'unsafe-inline' to load styles for our React components, and we encounter issues when it’s removed. Could you please clarify if the removal of 'unsafe-inline' applies solely to Atlassian’s CSS, or does it also affect any inline CSS provided by us? Is it mandatory to remove it entirely, or are there alternative approaches that would allow us to accommodate both Atlassian’s inline styles and our own?

here is the link to the deprecation: https://developer.atlassian.com/changelog/#CHANGE-1601

@SamLeatherdale : can you you clarify if the unsafe-inline could be used by us when it comes to styles introduced from our side ?
Thank you for your assistance!

@AtlassianDeveloper

Kind regards,
Shreya

SamLeatherdale · October 23, 2024, 11:18am

Hi @ShreyaBilloreDecadis, thanks for reaching out for clarification.

Rules such as 'unsafe-inline' don’t distinguish whether the CSS comes from Atlassian or from your app, so there is no way to enable it just for one or the other.

However, it’s not a requirement from us to remove 'unsafe-inline', it’s just a recommendation to improve your app’s app security, if it is possible for you to implement it.

Other vendors were asking for us to make this change so that they weren’t forced to keep this exception in their apps to support Atlassian’s CSS.

Feel free to keep using 'unsafe-inline' if your app requires it to function.

Regards,
Sam

ShreyaBilloreDecadis · October 24, 2024, 6:37am

Thank you for the clarification and prompt response.