This change has already been rolled out to sites in the Jira and Confluence Ecosystem Beta Groups for testing and will be rolled out to the general public beginning Wednesday 1st April (changed from Wednesday 25th March)
In general most apps should be unaffected, however if your app does anything outside of the allowlist you will be affected. Some examples are:
access window.parent or window.top directly from inside your Iframe’s JavaScript
(eg. setting window.top.location.href without a user gesture)
modify document.domain of your Iframe or any nested Iframe
If this is the case, please reply to this announcement so we can grant your app an extension and work with you to find an alternative solution
Hi @nchakarov, welcome to the developer community!
Nested iframes will be affected under the following known conditions:
The app’s top Iframe and nested Iframe share a second-level domain, and manipulates document.domain in order to allow cross-frame communication.
Please see a more detailed explanation here
This change breaks Scroll Documents in several places where we use parent.location.href = ... to redirect the user somewhere. The reason why we are using that method for redirecting at all is because of the following drawbacks in the Confluence Cloud JavaScript API:
AP.navigator.go only allows to specify customData when navigating to an addonModule. We need it as well when navigating to a contentview and to a contentlist, and I don’t see why it shouldn’t be allowed for any kind of navigator target.
AP.flag.create doesn’t allow to specify a href for the actions. This is not only annoying for the users, because they cannot open the action in a new tab, but it also forces us to manually redirect the user in reaction to the flag.action event.
It would be nice if those issues could be fixed and the sandbox be disabled until then.
How can we make sure which instances are in the Jira Ecosystem Beta group? Because the instance I thought was in it isn’t showing any sandbox params on the iframes.
This change will break a few navigation in our application, because we currently use window.open("url", "_top"). We noticed that some features in our application broke yesterday, because of this change. We have tried several combinations using AP.navigator.go, but it does not work for us, because it has limited targets and it does not support concrete url at the moment. Please, grant our app an extension and what other alternative solution do we have.
We are using window.top.location.href = in several cases in eazyBI and this will break our app functionality.
We are using it to redirect
from a configuration page to our general page
we use URLs with additional parameters in our emails - when user clicks the link and opens this email we capture additional URL parameters but then we want to redirect to the main app page without additional parameters.
Please do not do such quick change without allowing us to find if we can do any alternative solutions.
I enrolled https://imatincr.atlassian.net and am seeing the sandbox properly in Confluence, but not in Jira. What should I do to get this addressed? I would like to get this fixed ASAP since we have so little time to implement any fixes.
We also use window.top.location = ... in multiple apps to redirect to other pages within Confluence. This is a very aggressive timeline to expect apps to react. Can you at least provide an API on AP to do safer redirects to pages within the host app?
We tested the apps we were concerned about but they still seem to be working. We have another app that may be affected in some user use cases but I think we can workaround that with documentation.
We are also using window.top.location to redirect to the creation page of custom content in Confluence. This is a workaround because AP.navigator.go does not allow to go to the creation page, but only content view and edit (see Editcomponent for custom content).
The rollout will now be delayed until Wednesday 1st April in order to ensure vendors that are concerned have time to enrol in the Beta group and let us know if they need to be initially excluded
As stated in the announcement, if you have reason to believe your app is affected and request an extension you will not need your app to be fixed by this date
Please note that enrolling a site in the Beta group is a manual process at our end and may take a day or two.
If you are familiar with Chrome dev tools, you can test your app now in any product by adding the sandbox attribute and reloading your iframe.
I think if you want to roll out changes like this it would be a very good idea to fix the AP.navigator API because this seems to be the main problem for all vendors.
But for now we would like to enroll with an extension for Atlas CRM for Confluence and for Jira until AP.navigator get’s fixed:
We have an app module k15t-docs-documents-overview-page that is configured to be the content list for the custom content type ac:k15t-scroll-document-versions-for-confluence:document. We want to navigate there and set the custom parameter activeDocumentId. So far we could do it like this:
