New CSP warnings from *.atl-paas.net

As per the Security requirement for cloud apps (and as a good citizen of the broader internet) all of our apps set a Content-Security-Policy header that includes https://connect-cdn.atl-paas.net as a trusted source for scripts and styles.

Recently (as in the last few days), our Sentry CSP monitoring started to show CSP violations for URIs from https://ds-cdn.prod-east.frontend.public.atl-paas.net

Examples of blocked URIs (and their violated directives) are:

blocked_uri:        https://ds-cdn.prod-east.frontend.public.atl-paas.net/assets/font-rules/v3/atlassian-fonts.css
source_file:        https://connect-cdn.atl-paas.net/all.js
violated_directive: style-src-elem

blocked_uri:        https://ds-cdn.prod-east.frontend.public.atl-paas.net/assets/fonts/atlassian-sans/v2/AtlassianSans-latin.woff2
source_file:        https://connect-cdn.atl-paas.net/all.js
violated_directive: font-src

I have questions.

1. Was this an intentional change to have *.css and *.woff2 assets served from a specific CDN region URL? (ds-cdn.prod-east.frontend.public.atl-paas.net)
2. If so, are there other possible regions that we would need to add to our CSP, in addition to “prod-east.frontend”? (e.g. is there a “prod-west.frontend”?)
3. Is there a changelog entry advising developers of this change and the impact on their content security policies?

Just confirming this Atlassian change also broke font/style imports for our production apps that implement the mandatory CSP rules.

In the absence of any Atlassian guidance our hotfix was to switch the CSP font and style rules to “*.atl-paas.net”

We’ve also been hit. I there an ECOHELP ticket?

We have raised ECOHELP-66766.

Not sure if that will be visible to anyone other that us & Atlassian at this stage, but in that ticket we’ve included a link to this CDAC thread to highlight that other marketplace partners are also impacted.

Will update here with any news.

Thanks @scottohara ,
my question was not necessarily about the visibility of a ticket, more if Atlassian got alerted formally through a ticket.

Response from Atlassian in ECOHELP-66766:

We have checked internally with our engineering team about your questions, and I would like to share the answers with you:

1. Was this an intentional change to have *.css and *.woff2 assets served from a specific CDN region URL? (ds-cdn.prod-east.frontend.public.atl-paas.net)

Yes. The atlassian-fonts.css and Atlassian Sans font files (e.g., AtlassianSans-latin.woff2) will be served by the ds-cdn.prod-east.frontend.public.atl-paas.net domain.

2. If so, are there other possible regions that we would need to add to our CSP, in addition to “prod-east.frontend”? (e.g. is there a “prod-west.frontend”?)

There are no plans for the moment to add new regions. Possible new region additions will be informed through developer changelog.

3. Is there a changelog entry advising developers of this change and the impact on their content security policies?

The engineering team is working on releasing a changelog to inform about this change. The changelog is currently planned to be released on May 23, along with the recommendation to perform the following CSP update:
Update your CSP to include:

style-src https://ds-cdn.prod-east.frontend.public.atl-paas.net
font-src https://ds-cdn.prod-east.frontend.public.atl-paas.net

So there you have it.

If you take this response at face value, this was an intentional change and a changelog entry is forthcoming (albeit 2 weeks after the change was introduced), and everyone should update their apps CSP, either with the specific new URL above or (as @Chris_at_DigitalRose suggested) the more liberal wildcard that allows anything from *.atl-paas.net.

Thanks for following up.

This looks like a total disregard of breaking marketplace apps by Atlassian.
@asridhara can you take a look at this?