New sandboxing of Connect App Iframes in Confluence and Jira

Hey Daniel,
Are you sure? You will have received a confirmation email from me for all sign ups to the Cloud Vendor first release for Jira but I don’t see that site enrolled.
Could you be confusing this with the Jira Cloud Vendor Feature Preview sign up?

Cloud Vendor Feature preview is similar to a server EAP, it’s usually more than a week or so before release, and it won’t necessarily be the final release as we may make changes or fixes. We’ll use this for big changes where we anticipate apps might need some moderate work to remain compatible.

Cloud Vendor First Releases are ready for production, however we’re releasing them first to ecosystem vendors to ensure you’re ahead of your customers.

I hope this clarifies.
Cheers, Mel

Hey Boris,
Similar to my reply to Daniel, it doesn’t look like you’ve actually submitted that jira instance via the link supplied above. Would you try again? You’ll get an email in 24-48 hours confirming your instance has been added.
Cheers,
Mel

I think the fault lies on this side of my monitor then… I’ll drop in requests in a bit.

2 Likes

AP.navigation does not work for us in every situation and we are forced to use window.parent in these occasions.

We ( Xray Test Management for Jira ) would like to be granted an extension on this.

1 Like

@Dboyd took care of this for me, thanks.

1 Like

Another thing that I just realised is that we are also using AP.history for managing state. As far as I can tell, AP.navigator.go doesn’t provide a way to set the location hash.

Regarding navigation, we use <a href="JIRA_URL" target="_top"> everywhere and it seems to work even with the sandbox attributes in place. Since it’s a clickable link, it’s probably considered as allow-top-navigation-by-user-activation.

Hi @dboyd & @mpaisley,

We’re also using window.top.location.href = in 2 of our addons:

Redirection - Redirection for Confluence | Atlassian Marketplace
Linking - Linking for Confluence | Atlassian Marketplace

Please enroll us for an extension.

Thanks,
Ucchishta.

3 Likes

Hi @dboyd ,
I’ve found an issue: if a Widget Connector macro (with a YouTube video) is used inside a 3rd party macro (for example, Table Filter macro), then it is not possible to open the video in a full-screen mode and JS exception is thrown:

Failed to construct 'PresentationRequest': The document is sandboxed and lacks the 'allow-presentation' flag.
2 Likes

Thanks @akhaneev
I’ve raised this internally to see if we can add allow-presentation
Will comment on this thread with a response soon

1 Like

Hi @dboyd

We are using window.top.location.href = in our app in a number of places, therefore, we would like to request an extension so we can test the impact of this change on our app and implement potential workarounds/fixes.

Regards,

zAgile

After investigation, we’re not currently aware of any apps that are dependant on allow-presentation to support their functionality. We’ve chosen not to include it at this stage

While there may not be any apps that absolutely depend on the presentation mode being available, it will surely cause confusion for our users if videos cannot be expanded to fullscreen mode anymore.

For us, this mainly affects our “Getting Started” pages where we have embedded Youtube videos that explain our apps. It is the first point of contact with our customers and we’d rather leave a good impression. It would be a shame if those videos would become hard to watch because of small fonts etc. if they could no longer be enlarged, especially for users with impaired vision.

Also, shouldn’t the consideration which sandbox attributes are allowed be more regarding security and user experience and less about which apps are currently depending on those attributes?

8 Likes

Hey,

I found this conversation while I was trying to figure out what’s going on with our Jira Cloud App, which is currently not displayed correctly and is not loading any values in dropdowns.

After talking with one of our engineers, we both think this change is most likely blocking our Jira Cloud App from working.

Therefore, it would be awesome to get an extension for this @dboyd until we could find a fix.

You can find our app here:

Thanks!

@Alexander_Leonhard Please load all.js from the CDN. See Deprecation of xdm_e Usage

The rollout of the sandboxing has begun, and will be rolled out slowly over the following weeks.
We will be monitoring as closely as we can for affected apps.

Vendors with apps that have signalled they are affected are still excluded, while we find alternatives.

If you have just found this thread and your app is affected please comment here or message me directly to request a temporary exclusion for your app so we can discuss alternatives.

Thanks, will look into it.

Second these points!

Totally agree. Don’t understand why presenting videos is dangerous.

This is also blocking showing PDF in iFrames. We missed this post so users are reporting this which breaks the app completely. Will try to understand how to ping you David but please find the Jira plugin below.