New sandboxing of Connect App Iframes in Confluence and Jira

@dboyd Please post the resolution here when you come to a conclusion, for the benefit of anyone following along with the conversation, now or in the future. I’d like to see Anton’s questions answered as well, for the record if nothing else.


I have updated the MS Edge to the latest version and it started to work. I had 44 and latest is 84.



I am asking question regarding the sandbox for bitbucket since this post was shared in the announcement for sandboxing bitbucket.

  1. How to enable connect-iframe-sandbox? There is no documentation for it
  2. We need to enable connect-iframe-sandbox on the account of the user using the app or in the developer account?

Any more guidelines about what is the allowlist and where do specify the values mentioned in the announcement? (e.g. allow-downloads, allow-forms, allow-modals, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation-by-user-activation (Firefox: allow-top-navigation)).

Generally speaking, glad to see more security. Would be great if we could have real documentation about breaking changes.


1 Like

Hi @juli1,

You can read more about these changes here:

1 Like

Thank you - I read the documentation. I do not think the documentation mentioned respond to any of the question above. Any way to have clarification to the question mentioned above? There is absolutely no linked documentation about how to test, nor even a code sample. That is a breaking change and it would be useful to have more guideline from the Atlassian staff.

Thank you.

Due to

allow-downloads should be included into sandbox for Bitbucket Connect Apps,

but when I activate Change notice: Sandboxing of Connect App iframes BETA in Bitbucket Labs
I can not see it, I see
sandbox=“allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation”
so I can not download anything.

Please note, options persists in Jira and Trello.

Please advice.

Thank you.

There is no answer from the Atlassian staff.

Would it be possible to have clear guidelines with code examples for testing and show how to test this change? This is a breaking change and there is nothing other than a simple announcement. The Bitbucket announcement has absolutely no instruction whatsoever about how to test (e.g. how to enable connect-iframe-sandbox - something I do not see on my account).

Please provide instructions.


1 Like

If you need a workaround for the iframe restrictions: open a pop-up and start the download from there. That’s also how we were able to access the user’s microphone and camera in the Lively Recorder. :slight_smile:

You don’t want to build your app on top of such hacks, and workarounds. This is not future proof, and will break. As a user you also don’t want to see popups or popunders.

There should be a first-class support for such features. There is a ticket for fixing this problem in Atlassian Connect:
Please vote :slight_smile:

Fully agree but I also know that the chances for tickets like these being picked up aren’t nearly high enough to not use what works right now.


Hi @dboyd

We’re also using in our addon:

App key com.cprime.jira.plugins.surveyproject

Please enroll us for an extension.
Thanks, Elena, Cprime Products Team

Was fixed in BBS-146626.

I suspect that my app, Jenkins Integration for Jira, is also effected by this change. Just yesterday a user of the app informed me that links to there Jenkins instance from within Jira are not working as expected.

Before the app would in its panels also generate links to jobs and builds in Jenkins, and these links would open in a new window.
But since a couple of days all these links open with connection refused errors.

Looking into the issue is seems that the X-Frame-Options header with value sameorigin is the cause of the issue. Changing the link target from _blank to _top fixes the issue in that the links work again, but now the user is navigating away from Jira which I whether not do.

Is there a workaround available?

I also tried a redirect service endpoint but with no success.

Hi. What about allow-geolocation ? How can user location be retrieved? Regards. Mik.

Hi @Mik
Are you able to obtain the info you need from the AP.User JS API ?


Can we have the ‘allow-popups-to-escape-sandbox’ option enabled as well? Currently, if an app opens a PDF file in a new tab, the file will not be rendered in Chrome.

Hi @becker,

Thanks for the feedback, we will need to investigate the security impact of adding the allow-popups-to-escape-sandbox value to the sandbox attribute.
I have raised a public ticket: ACJS-1197 - Investigate the impact of adding allow-popups-to-escape-sandbox value to Iframe sandbox attribute to keep track of this.

Is it possible for your app to provide a link for downloading the PDF as an alternative? As I understand, this may require a same-origin URL or blob/data.