New sandboxing of Connect App Iframes in Confluence and Jira

Can I use the below javascript method/property from my cloud App?

  • window.sessionStorage
  • window.location.href
  • window.location.reload(true)
  • window.location.search
  • window.location.hash

Currently, I am getting below error only in chrome Incognito mode.

Uncaught (in promise) DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.

Below function not worked for me… relativeUrl is working perfect to navigate inside internal site.

// To navigate to any page in the outside site:
AP.navigator.go(‘site’, {
absoluteUrl: ‘http://anyurl
});

Hi @umang.savaliya

This is not possible with the Navigator API. From the docs:

absoluteUrl

Identifies a specific page within a site. Required for the site target and must be within the site’s domain.

This is for security reasons. Redirecting the browser to an external site from an app’s iframe must be associated with a user gesture.

Apps usually do this by:

  • rendering a link for the user to click
  • opening the external site in a new tab using window.open
1 Like

@dboyd I have found that in Microsoft Edge something is broken with the ability to open links in the _top location by user clicks https://take.ms/yilSr At the same time everything works fine in Chrome.

Looks like a bug in specifying permissions on your side.
Can you please check?

@anton2 I couldn’t reproduce with your production app in Microsoft Edge.
If you’re still experiencing issues, you could try using the Navigator JS API:

AP.navigator.go('site', {relativeUrl: '/plugins/servlet/ac/io.tempo.jira/oauth-authorize/?client_id=...});

1 Like

@dboyd thanks for the quick reply!

  1. What version of Microsoft Edge do you use?
  2. Should regular a href="…" target="_top" work?
  3. Does AP.navigator.go work with absolute URLs? Since for connecting QuickBooks I need to redirect to other domain in the same window.

Lets move to private message to investigate further …

@dboyd Please post the resolution here when you come to a conclusion, for the benefit of anyone following along with the conversation, now or in the future. I’d like to see Anton’s questions answered as well, for the record if nothing else.

2 Likes

I have updated the MS Edge to the latest version and it started to work. I had 44 and latest is 84.

2 Likes

Hello,

I am asking question regarding the sandbox for bitbucket since this post was shared in the announcement for sandboxing bitbucket.

  1. How to enable connect-iframe-sandbox? There is no documentation for it
  2. We need to enable connect-iframe-sandbox on the account of the user using the app or in the developer account?

Any more guidelines about what is the allowlist and where do specify the values mentioned in the announcement? (e.g. allow-downloads, allow-forms, allow-modals, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)).

Generally speaking, glad to see more security. Would be great if we could have real documentation about breaking changes.

Thanks.

1 Like

Hi @juli1,

You can read more about these changes here: https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/

1 Like

Thank you - I read the documentation. I do not think the documentation mentioned respond to any of the question above. Any way to have clarification to the question mentioned above? There is absolutely no linked documentation about how to test, nor even a code sample. That is a breaking change and it would be useful to have more guideline from the Atlassian staff.

Thank you.

Hi
Due to https://developer.atlassian.com/cloud/bitbucket/connect-app-iframe-sandbox/?utm_source=alert-email&utm_medium=email&utm_campaign=bb-sandbox-iframe_EML-7721&jobid=104786071&subid=1517496078

allow-downloads should be included into sandbox for Bitbucket Connect Apps,

but when I activate Change notice: Sandboxing of Connect App iframes BETA in Bitbucket Labs
I can not see it, I see
sandbox=“allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation”
so I can not download anything.

Please note, options persists in Jira and Trello.

Please advice.

Thank you.

There is no answer from the Atlassian staff.

Would it be possible to have clear guidelines with code examples for testing and show how to test this change? This is a breaking change and there is nothing other than a simple announcement. The Bitbucket announcement has absolutely no instruction whatsoever about how to test (e.g. how to enable connect-iframe-sandbox - something I do not see on my account).

Please provide instructions.

Thanks.

1 Like

If you need a workaround for the iframe restrictions: open a pop-up and start the download from there. That’s also how we were able to access the user’s microphone and camera in the Lively Recorder. :slight_smile:

You don’t want to build your app on top of such hacks, and workarounds. This is not future proof, and will break. As a user you also don’t want to see popups or popunders.

There should be a first-class support for such features. There is a ticket for fixing this problem in Atlassian Connect: https://ecosystem.atlassian.net/browse/ACJIRA-2205
Please vote :slight_smile:

Fully agree but I also know that the chances for tickets like these being picked up aren’t nearly high enough to not use what works right now.

2 Likes

Hi @dboyd

We’re also using window.top.location.href in our addon:

App key com.cprime.jira.plugins.surveyproject
App URL https://marketplace.atlassian.com/apps/1213103/surveys-for-jira-jira-customer-surveys?hosting=cloud&tab=overview

Please enroll us for an extension.
Thanks, Elena, Cprime Products Team

Was fixed in BBS-146626.

I suspect that my app, Jenkins Integration for Jira, is also effected by this change. Just yesterday a user of the app informed me that links to there Jenkins instance from within Jira are not working as expected.

Before the app would in its panels also generate links to jobs and builds in Jenkins, and these links would open in a new window.
But since a couple of days all these links open with connection refused errors.

Looking into the issue is seems that the X-Frame-Options header with value sameorigin is the cause of the issue. Changing the link target from _blank to _top fixes the issue in that the links work again, but now the user is navigating away from Jira which I whether not do.

Is there a workaround available?

I also tried a redirect service endpoint but with no success.