New sandboxing of Connect App Iframes in Confluence and Jira

Hi @dboyd,

Thanks for your prompt response and for temporarily disabling sandboxing for us! We are going to use both approaches, since window pop-ups are blocked by default. I will let you know when we apply these changes. Hope this will resolve our issue.

Best,
Saida Temirkhodjaeva

Hi @dboyd,

It’s working perfectly, thank you so much for your help. Please feel free to enable sandboxing for us again.

Thanks!
Saida Temirkhodjaeva

Hi,

Please consider including the ‘allow-storage-access-by-user-activation’ sandbox attribute to the iframe. This is required for Intelligent Tracking Prevention, which is already supported by Safari and Firefox. As far as I know, Google Chrome will also support it in future versions.

The relevant topic from Trello forum - Add allow-downloads to iframe sandbox attributes.

@becker Wow! I didn’t know that there is such parameter, it would be definitely useful!

Does by-user-activation mean that user needs to take any action like click and only after that we can start accessing third party cookies?

Yes, the access will be granted after click on the confirmation message

@anton2 here is the relevant topic - Support of Storage Access API by Atlassian Connect

Can I use the below javascript method/property from my cloud App?

  • window.sessionStorage
  • window.location.href
  • window.location.reload(true)
  • window.location.search
  • window.location.hash

Currently, I am getting below error only in chrome Incognito mode.

Uncaught (in promise) DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.

Below function not worked for me… relativeUrl is working perfect to navigate inside internal site.

// To navigate to any page in the outside site:
AP.navigator.go(‘site’, {
absoluteUrl: ‘http://anyurl
});

Hi @umang.savaliya

This is not possible with the Navigator API. From the docs:

absoluteUrl

Identifies a specific page within a site. Required for the site target and must be within the site’s domain.

This is for security reasons. Redirecting the browser to an external site from an app’s iframe must be associated with a user gesture.

Apps usually do this by:

  • rendering a link for the user to click
  • opening the external site in a new tab using window.open
2 Likes

@dboyd I have found that in Microsoft Edge something is broken with the ability to open links in the _top location by user clicks https://take.ms/yilSr At the same time everything works fine in Chrome.

Looks like a bug in specifying permissions on your side.
Can you please check?

@anton2 I couldn’t reproduce with your production app in Microsoft Edge.
If you’re still experiencing issues, you could try using the Navigator JS API:

AP.navigator.go('site', {relativeUrl: '/plugins/servlet/ac/io.tempo.jira/oauth-authorize/?client_id=...});

1 Like

@dboyd thanks for the quick reply!

  1. What version of Microsoft Edge do you use?
  2. Should regular a href="…" target="_top" work?
  3. Does AP.navigator.go work with absolute URLs? Since for connecting QuickBooks I need to redirect to other domain in the same window.

Lets move to private message to investigate further …

@dboyd Please post the resolution here when you come to a conclusion, for the benefit of anyone following along with the conversation, now or in the future. I’d like to see Anton’s questions answered as well, for the record if nothing else.

2 Likes

I have updated the MS Edge to the latest version and it started to work. I had 44 and latest is 84.

2 Likes

Hello,

I am asking question regarding the sandbox for bitbucket since this post was shared in the announcement for sandboxing bitbucket.

  1. How to enable connect-iframe-sandbox? There is no documentation for it
  2. We need to enable connect-iframe-sandbox on the account of the user using the app or in the developer account?

Any more guidelines about what is the allowlist and where do specify the values mentioned in the announcement? (e.g. allow-downloads, allow-forms, allow-modals, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)).

Generally speaking, glad to see more security. Would be great if we could have real documentation about breaking changes.

Thanks.

1 Like

Hi @juli1,

You can read more about these changes here: https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/

1 Like

Thank you - I read the documentation. I do not think the documentation mentioned respond to any of the question above. Any way to have clarification to the question mentioned above? There is absolutely no linked documentation about how to test, nor even a code sample. That is a breaking change and it would be useful to have more guideline from the Atlassian staff.

Thank you.

Hi
Due to https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/?utm_source=alert-email&utm_medium=email&utm_campaign=bb-sandbox-iframe_EML-7721&jobid=104786071&subid=1517496078

allow-downloads should be included into sandbox for Bitbucket Connect Apps,

but when I activate Change notice: Sandboxing of Connect App iframes BETA in Bitbucket Labs
I can not see it, I see
sandbox=“allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation”
so I can not download anything.

Please note, options persists in Jira and Trello.

Please advice.

Thank you.

There is no answer from the Atlassian staff.

Would it be possible to have clear guidelines with code examples for testing and show how to test this change? This is a breaking change and there is nothing other than a simple announcement. The Bitbucket announcement has absolutely no instruction whatsoever about how to test (e.g. how to enable connect-iframe-sandbox - something I do not see on my account).

Please provide instructions.

Thanks.

1 Like