New sandboxing of Connect App Iframes in Confluence and Jira

@johan.b.brodin I’ve temporarily removed the sandboxing from the app listed. I’ll reach out to you privately to discuss

Hi @dboyd
Could you please reconsider about allow-presentation? Users embed all kinds of stuffs in Confluence and without option to view them in larger size, embedding will not be useful. It will be just like any other link.

For example, users will now need to go Youtube to view embedded video because the embed size is very small in Confluence and can’t be viewed in fullscreen mode.

Also security wise, it should be not be that bad?

2 Likes

Thanks for the feedback
We’ll discuss again internally and I’ll post an update soon

update
Regarding allow-presentation and fullscreen mode:

I investigated and switching to a fullscreen mode presentation of embedded content such as a Youtube video from an app’s page is not possible either with, or without the new Iframe sandboxing.

This is because Connect does not support the allow="fullscreen" attribute on the app Iframe and is unrelated to sandboxing.

I’d recommend raising a feature request as a separate thread for discussion, if this is something you’d like to see supported

Hi @dboyd,

Requesting you for temporary exclusion of my app

Thank you.

  • Maulik Adiecha

Hi @dboyd,
We missed this post! PDF attachments are no longer showing in our app
“Failed to load as a plugin, because the frame into which the plugin is loading is sandboxed.”
Please exclude our app from being blocked
Cheers

Hi @dboyd,

We missed this update. We were using window.top.location.href = in our app to redirect to our page, but it’s not working anymore.

As an alternative solution, we want to display a link to the user, but the iframe has opacity: 0; height: 0 which is hiding the rendered text. Is it possible to change it or are there better alternatives?

Thanks!

Hi @SaidaTemirkhodjaeva

Thanks for getting in touch. I’ve temporarily disabled sandboxing for you, but Chrome (at least) is still blocking the redirect anyway.

In order to render the iframe you should just need to add the following:

<head>
  <script src="https://connect-cdn.atl-paas.net/all.js"></script>
</head>

ref: https://developer.atlassian.com/cloud/jira/platform/about-the-javascript-api
alternatively you could open your page in a new tab:

window.open(url);

Hope that helps
Cool app, by the way!

Regards,
David Boyd
Atlassian Connect

1 Like

Hi @dboyd,

Thanks for your prompt response and for temporarily disabling sandboxing for us! We are going to use both approaches, since window pop-ups are blocked by default. I will let you know when we apply these changes. Hope this will resolve our issue.

Best,
Saida Temirkhodjaeva

Hi @dboyd,

It’s working perfectly, thank you so much for your help. Please feel free to enable sandboxing for us again.

Thanks!
Saida Temirkhodjaeva

Hi,

Please consider including the ‘allow-storage-access-by-user-activation’ sandbox attribute to the iframe. This is required for Intelligent Tracking Prevention, which is already supported by Safari and Firefox. As far as I know, Google Chrome will also support it in future versions.

The relevant topic from Trello forum - Add allow-downloads to iframe sandbox attributes.

@becker Wow! I didn’t know that there is such parameter, it would be definitely useful!

Does by-user-activation mean that user needs to take any action like click and only after that we can start accessing third party cookies?

Yes, the access will be granted after click on the confirmation message

@anton2 here is the relevant topic - Support of Storage Access API by Atlassian Connect

Can I use the below javascript method/property from my cloud App?

  • window.sessionStorage
  • window.location.href
  • window.location.reload(true)
  • window.location.search
  • window.location.hash

Currently, I am getting below error only in chrome Incognito mode.

Uncaught (in promise) DOMException: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document.

Below function not worked for me… relativeUrl is working perfect to navigate inside internal site.

// To navigate to any page in the outside site:
AP.navigator.go(‘site’, {
absoluteUrl: ‘http://anyurl
});

Hi @umang.savaliya

This is not possible with the Navigator API. From the docs:

absoluteUrl

Identifies a specific page within a site. Required for the site target and must be within the site’s domain.

This is for security reasons. Redirecting the browser to an external site from an app’s iframe must be associated with a user gesture.

Apps usually do this by:

  • rendering a link for the user to click
  • opening the external site in a new tab using window.open
2 Likes

@dboyd I have found that in Microsoft Edge something is broken with the ability to open links in the _top location by user clicks Monosnap At the same time everything works fine in Chrome.

Looks like a bug in specifying permissions on your side.
Can you please check?

@anton2 I couldn’t reproduce with your production app in Microsoft Edge.
If you’re still experiencing issues, you could try using the Navigator JS API:

AP.navigator.go('site', {relativeUrl: '/plugins/servlet/ac/io.tempo.jira/oauth-authorize/?client_id=...});

1 Like

@dboyd thanks for the quick reply!

  1. What version of Microsoft Edge do you use?
  2. Should regular a href="…" target="_top" work?
  3. Does AP.navigator.go work with absolute URLs? Since for connecting QuickBooks I need to redirect to other domain in the same window.

Lets move to private message to investigate further …